On November 29, someone posted on the Tor mailing list that an exploit was “actively used against TorBrowser NOW.” That is where the queued article about this will be linked. Mozilla quickly patched the bug but not without raising consumer concerns. Now, researchers discovered that an exploit company sold the exploit earlier this year to both offensive and defensive parties.
Fortinet, a cybersecurity firm that works with Mozilla, developed an intrusion detection system. A Fortinet spokesperson told Motherboard that the intrusion detection system (IDS) would detect the aforementioned exploit.
In a recent email, the Fortinet spokesperson said: “The IPS signature you linked does protect against the Firefox/Tor Browser Vulnerability.” She added that “The IDS signature defends against the exploit method used and was not specifically developed to defend against the recent Firefox/Tor browser zero-day.”
According to a tweet from December 2015 that Forbes found, Fortinet bought the exploit from another cybersecurity company: Exodus. In a reply to another Twitter user, Fortinet wrote “This one came to us from @ExodusIntel. No active attacks, just us adding protection in advance of a real threat.” Exodus finds, buys, and sells exploits to malicious hackers and security firms like Fortinet. Fortinet and similar cybersecurity firms use these exploits and vulnerabilities to strengthen the security of their clients. In this case, Fortinet bought the exploit to protect their clients—notably both Mozilla and Cisco.
However, a definite conflict of interest appeared when a source told Motherboard “The vulnerability details and working exploit code were sold by Exodus to an offensive customer at the beginning of 2016.” (Emphasis my own) And then Forbes spoke with Exodus president Logan Brown about the exploit. “We have definitely delivered to our clients multiple Firefox [exploits] over the years. This one does look similar to one of ours, but we’re currently investigating how it was leaked or how it was used,” he said.
According to Forbes, a source revealed that this exploit was the same exploit used by the FBI in the PlayPen investigation. Brown said that a former Mozilla employee discovered the vulnerability, the first time around. He also claimed that Exodus never sold to foreign law enforcements—the most recent exploit phones home to a server in France. Other governments receive information, though, he said. “We have a few allied countries that subscribe, who get the same stuff as Fortinet and those guys, and our government.” Some security researchers mentioned the hack was unlikely used by the FBI as no judge would sign off on such a warrant.
The Exodus blog post published earlier this year mentioned vendor disclosure but not to a fully inclusive degree. He told Forbes:
Our disclosure policy wasn’t intended to be taken that every single thing we know about is going to be disclosed to the vendor. It’s only when we can do it without upsetting the researchers or disrupting the normal flow of business. We like to disclose when we can but not everything is going to be able to be disclosed.
Brown said Fortinet and Exodus ended any partnership but Exodus would help with any fall-out from this so-called leak. “If a capability does transition to the wild, we change mentalities to analysis and make sure everyone is protected,” he said. Notably, Exodus revealed a major Tails hack in 2014. They have not clarified if Mozilla or another defensive firm purchased the exploit.
Christopher Soghoian, the principal technologist at the ACLU, said that the changes to Rule 41 opened a gateway to more of the same. “This is now a global phenomenon. We should expect to see a lot more of this. Whether by French Spanish, Dutch, the Russians,” he added. “It’s a bit like an oil spill. When an oil pipeline runs through a community they’re told it’s safe, but there are accidents. They happen and then the consequences are not borne by the entity that has the accident, they’re borne by the environment around it.”