Mozilla Firefox
Mozilla is attempting to compel authorities in the US to hand over a potentially active security vulnerabilityReuters

A US federal judge has rejected an appeal by technology firm Mozilla to disclose a vulnerability in its software believed to be at the centre of an FBI investigation into a dark web-based website that hosted child pornography.

District Judge Robert Bryan declined to intervene in the ongoing case against a suspect called Jay Michaud, who is one of 137 people now facing charges in the US in relation to the FBI's probe into Playpen, an illicit website formerly hosted on the Tor network.

As Mozilla noted in its initial court filing, Tor, which is used to anonymise internet browsing, is partly based on the same open-source code used in its popular Firefox browser. This, the firm notes, means that any security flaw exploited by the FBI to crack down on the illegal website is also likely to impact its hundreds of thousands of users.

The situation escalated after the judge granted Michaud's defence team permission to know more about the vulnerability so they could mount a case. In response, Mozilla filed the motion in order to compel the release of the bug before it could be disclosed to the third-party – a move it believes could be dangerous for the security of its users.

"Although Mozilla is not opposed to disclosure to the defendant, any disclosure without advance notice to Mozilla will inevitably increase the likelihood the exploit will become public before Mozilla can fix any associated Firefox vulnerability," it said in the 11 May court submission.

However, in the wake of a plea from the US Justice Department citing "national security" Judge Bryan reversed his decision on Monday 17 May and said prosecutors no longer had to make any bug disclosure to Michaud's defence team.

The move, according to the judge, made Mozilla's appeal "moot". In a two-page filing, he said: "It appears that Mozilla's concerns should be addressed to the United States and should not be part of this criminal proceeding."

In light of this, as reported by Reuters, Mozilla said in a statement that it would continue to argue "the safest thing to do for user security is to disclose the vulnerability and allow it to be fixed." Meanwhile, a Justice Department spokesman declined to comment on the case.

The Playpen investigation has had its fair share of controversy. Thousands of people around the world are under investigation as a result of the case, however law enforcement recently encountered issues after two defendants secured rulings that declared their warrants invalid. These setbacks were largely due to "jurisdictional issues" that surround the FBI's use of malware to snare the suspects.

As previously reported, the FBI took over control of the Playpen website for almost two weeks in early 2015. It is believed the agency used the Tor, and potentially Firefox, vulnerability to learn the IP addresses of computers accessing the illegal website. During the period it was under its control, the agency used a court-ordered malware technique in an attempt to identify as many of the website's 214,898 members as possible.