Report: Feds staying mum on possible Firefox vulnerability

frogboy

In memoriam 1961-2018
Thread author
Verified
Top Poster
Well-known
Jun 9, 2013
6,720
Experts are speculating that the FBI may be closely guarding a secret vulnerability in the Firefox browser that it can exploit for future law enforcement purposes, according to a Motherboard report yesterday.

The article refers to a network investigative technique that the FBI used to hack visitors of the Playpen child pornography website. That site runs on the encrypted Tor network, but an exploit that works on the Tor browser would also work just as effectively on Firefox, upon which Tor was built.

Full Article. Report: Feds staying mum on possible Firefox vulnerability
 

Exterminator

Level 85
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Is the FBI Hiding a Firefox Zero-Day?

A question posed by a researcher from the International Computer Science Institute in Berkeley, California has led many to believe, even us, that the FBI may be sitting on a Firefox zero-day which it is currently fighting in US courts to keep secret.


All the time while everybody was focused on the Apple vs. FBI fight to unlock the San Bernardino's shooter iPhone, the FBI's lawyers and the US Department of Justice were also busy battling the defense in a related case.

It all started with a seized Dark Web child pornography website
Back in March 2015, the FBI managed to seize the Web server on which the "Preteen Videos—Girls Hardcore" Dark Web portal was running, a forum on which child pornography was being freely exchanged.

The Bureau says it used a network investigative technique (NIT) to detect and pinpoint the location of users that accessed and posted on that website, charging 137 US citizens following the incident.

One of those was Jay Michaud, who denied the FBI's claims and whose lawyers wanted the FBI to provide access to the forensics tools used to incriminate their client, so their technical expert could analyze its accuracy.

Signs point to the FBI using a Tor Browser exploit
Since Dark Web websites can be accessed only via special technology, like the Tor Browser, it makes technical sense that the FBI used an exploit in this tool to locate all 137 suspects, and even more that were reported to agencies in other countries. The theory was also confirmed by US-based news outlets following the Michaud case.

What not all people know is that the Tor Browser is not really a standalone browser at all. The Tor Project used a version of the Firefox ESR (Extended Support Release) browser to add their encrypted-layered-proxy technology on top and create the Tor Browser.

As Mr. Weaver points out, "the Tor Browser is simply Firefox running in a hardened mode." This means that if US news outlets and Michaud's lawyers are right, and the FBI is sitting on a Tor Browser vulnerability, then automatically that's a Firefox vulnerability as well.

Tor Browser exploits are automatically Firefox exploits as well
"While many Firefox exploits will not work against the Tor browser—particularly those relying on Flash—the converse is not necessarily true. To the contrary, any Tor browser exploit is almost certainly a Firefox exploit too," Mr. Weaver also notes, leveraging his expertise in computer science.

Since the US DoJ is mounting an all-out assault to keep the Tor Browser exploit out of the public eye, common sense dictates that this is a previously unknown issue, otherwise, why bother.

Firefox is managed as an open source project, so all vulnerabilities are publicly disclosed after being patched. If this was an exploit based on an old flaw, it wouldn't make sense to fight in court to keep it secret, since everybody already knows about it.

In infosec terms, these types of unknown and unpatched vulnerabilities, also used in live attacks, are called zero-day vulnerabilities. At this moment, all of the FBI's actions point to the fact that the Bureau may be hoarding a Firefox zero-day, something which it plans to use in future investigations as well.
 

Entreri

Level 7
Verified
May 25, 2015
342
Pedos and terrorists, pedo terrorists (ISIS).

However, these freaks keep expanding this security apparatus to include other "crimes" and eventually all "crime". Blow to democracy and onward to paradise/North Korea.
 

Solarquest

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
It's a delicate point....I always wrote privacy "Privacy" and I still think it's a fondamental right to be defended.
I also think that justice is a fundamental right.
Between the two I prefer the second one: criminals need to be prosecuted and stopped.
We need stronger, better laws/controls to protect us from the "bad guys" among the "good guys" and not to help the bad guys to run free.
(Mass)Surveillance should only be used to protect us from bad and heavy crimes and dangers...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top