In March, Wikileaks started publishing alleged CIA documents concerning the agency’s hacking operations and capabilities. Wikileaks also said it had obtained details of vulnerabilities CIA hackers took advantage of, and offered to provide these to affected vendors so the issues could be fixed.
Firefox maker Mozilla was one of those vendors, but as it now turns out, Mozilla says it had already patched Firefox attacks related to those provided by Wikileaks—the organization had previously fixed the issues in earlier versions of the web browser.
Videos by VICE
“Wikileaks sent us three javascript files in a directory called ‘stackup.0’,” Daniel Veditz, security lead at Mozilla, writes in Bugzilla, a system for tracking the progress of dealing with bugs, a month ago. “Note that the Wikileaks dump might be old,” he continues.
As the thread develops, others chime in, saying the attack is taking advantage of the same vulnerability as a previously documented attack.
“I am satisfied that this is just bug 983344 again,” Steve Fink from Mozilla writes. That specific vulnerability was reported three years ago, and according to another post from Veditz, came from Pwn2Own 2014. Pwn2Own is an annual competition for bug hunters and exploit developers; winners are paid for their discoveries, and the conference organizers provide details of the attacks to vendors so the problems can be patched.
Another thread also attributes the second attack to the same bug, and a third apparently will not work because a necessary setting was removed from Firefox 21 (the latest version is 53).
A Mozilla spokesperson told Motherboard in an email that Mozilla had received one report from Wikileaks that described three potential security vulnerabilities.
“We have completed our analysis of these vulnerabilities and determined that these issues were fixed in November 2012 and March 2014. Current versions of Firefox are not at risk,” the spokesperson said.
“When we receive information, regardless of the source, about anything that needs to be patched, we will take the necessary steps to remedy and will follow our published notification procedures.”
Read more: Wikileaks Just Dumped a Cache of Information on Alleged CIA Hacking Tools
Mozilla did not respond to follow up questions on whether it had to sign some sort of agreement with Wikileaks in order to receive the vulnerability details, as a previous Motherboard report suggested.
Wikileaks has attempted to provide vulnerability information to Microsoft, Apple, and Google. The status of those disclosures remains unclear. Wikileaks did not immediately respond to a request for comment.
Even if the issues were already fixed, these details did at least give researchers a chance to see what alleged CIA hacker code looks like.
“The code is remarkably clear and well-commented; I wish our own code was up to its standard more often!” Fink writes.
Subscribe to Science Solved It, Motherboard’s new show about the greatest mysteries that were solved by science.