This week, an exploit was publicly distributed that could break into the computers of those using the Tor Browser or Firefox. The Tor Project and Mozilla patched the underlying vulnerability on Wednesday.
One research company gave details of the exploit method used to a defensive cybersecurity firm last year so it could protect its own clients’ systems. In turn, the exploit research company went on to sell details of the recent Firefox vulnerability to another customer for offensive purposes this year, according to two sources.
The case highlights the often antithetical relationship between companies that research and develop exploits, and those who maintain the affected software. But it also shows an instance of a company selling related exploit information to both defensive and offensive customers.
Back in December 2015, cybersecurity firm Fortinet announced it had added an intrusion detection system (IDS) signature for a Firefox zero-day; that is, a security issue unknown to Mozilla which develops Firefox. IDS signatures are used to detect particular exploits or types of attack.
Fortinet confirmed to Motherboard that the IDS signature from 2015 would detect the recently uncovered exploit. (Some IDS signatures may target techniques or tricks which are common to many exploits at once).
“The IPS signature you linked does protect against the Firefox/Tor Browser Vulnerability,” a Fortinet spokesperson wrote in an email. “The IDS signature defends against the exploit method used and was not specifically developed to defend against the recent Firefox/Tor browser zero-day,” the spokesperson added.
According to a tweet from the company last year, Fortinet was provided details on the exploit method from Exodus Intelligence.
Exodus is a company that researches vulnerabilities, purchases and develops exploits, and then sells them to customers for both offensive and defensive purposes. For the former, customers can use the exploit to break into systems; as for the latter, clients can use the information to patch machines protecting them from attacks, like Fortinet did. (Earlier this year, Exodus announced it would pay $500,000 for vulnerabilities affecting iOS).
But according to two sources familiar with Exodus' operations, the company didn't just provide related exploit information to Fortinet: Exodus sold the exploit for the newly uncovered Firefox attack to an offensive customer.
“The vulnerability details and working exploit code were sold by Exodus to an offensive customer at the beginning of 2016,” one source told Motherboard.
Recently, Exodus’ website has emphasized the company’s defensive offerings, and said it was moving towards a practice of “coordinated disclosure,” in which Exodus would eventually inform vendors affected by its exploits of the security issues.
But providing related information to both defensive and offensive customers may irritate each side of the exploit company’s client base.
“You could sell it to defensive customers so that they can protect themselves, but then if you’re going to sell it to offensive customers,” what’s the point, one source said.
“You’re screwing them over,” they said.
Denelle Dixon-Thayer, Mozilla chief legal and business officer, told Motherboard in a statement: “If vulnerabilities are known they should be disclosed to vendors right away in order to protect users. Cybersecurity is a shared responsibility and we encourage tech companies, researchers and governments to share information with us so that we can investigate vulnerabilities and fix them.”
In a previous version of Exodus’ website, under a section called “We Equip A Wide Range of Clientele,” the company points out that the FBI has used exploits in its investigations. According to one of the sources, law enforcement agencies make up “95 percent of their customers.”
As for this particular exploit, “An offensive customer at a law enforcement agency had it sometime this summer,” the source said, adding that it may have been given to multiple parties.
Exodus, including Logan Brown, the company’s president, did not respond to multiple requests for comment, and did not respond to a specific, emailed question on whether Exodus sold this exploit to an offensive customer.
According to a report from Mozilla, someone may have tried to use the same attack in June of this year, although it crashed the browser. As Motherboard reported on Wednesday, the recently publicly disclosed exploit was deployed against users of a dark web child pornography site.
Update: This piece has been updated to add information from another source.