Jump to content
  • A BitTorrent Client WebUI Shouldn’t Be Shared With The Entire Internet

    Karlston

    • 727 views
    • 4 minutes
     Share


    • 727 views
    • 4 minutes

    While it's nice to share a bottle of fine wine over a tasty meal with a loved one, some things are best unshared. Take torrent client web interfaces, for example. They can be convenient and in some cases look very nice but with no security, every download has a global audience, including new torrent transfers added by passing strangers.

     

    The word ‘open’ in a connected world can be something positive. Open source, for example, or open library. On other occasions the opposite can be true; unnecessary ports left open on a router springs to mind.

     

    For millions of people using devices that appear to configure themselves, whether something is open or closed is irrelevant. If a device immediately works as promised, oftentimes that’s good enough. The problem with some internet-connected devices is that in order to immediately work in the hands of a novice, security gives way to ease of use, and that can end in disaster.

    Torrent Client WebUI

    Many of today’s torrent clients can be operated via a web interface, commonly known as a WebUI. A typical WebUI is accessed via a web browser, with the client’s IP address and a specified port number providing remote access.

     

    In a LAN environment (the part of a network behind the router, such as a home) the torrent client’s web interface serves local users, i.e those with direct access to the local network, typically via Wifi. The problems begin when a torrent client’s WebUI is exposed to the wider internet. In broad terms, instead of the client being restricted to IP addresses reserved for local uses (starting 192.168.0.0 or 10.0.0.0), anyone with a web browser anywhere in the world can access the UI too.

     

    In many cases, a WebUI can be secured with a password or by other means but when users are allowed to do that themselves, many never do, despite the warnings. That could end in disaster if the wrong person decides to let rip from the other side of the world.

    Specialized Search Engines

    Internet-connected devices are easily found using services such as Shodan, Censys, Fofa and Onyphe.io and those that are poorly configured are in plentiful supply.

     

    tixati1.png

     

    The image above shows a WebUI for the Tixati torrent client. With zero security, everything is on full display, just as it is for the person who operates the client, whoever they might be. This means that all downloads and uploads can be browsed, including data related to those transfers, as seen below.

     

    tixati2.png

     

    It can take just a couple of minutes to find hundreds of open clients. A common WebUI seen in the wild belongs to qBittorrent but the overwhelming majority are locked down, just as they should be.

    That’s Not Ideal

    For reasons that aren’t entirely clear, the Android torrent client ‘tTorrent‘ is quite popular in Russia.

     

    ttorrent-rus.png

     

    It’s possible that people install tTorrent on always-on set-top boxes, so the latest movies are ready to go as soon as they get home from work, or the local bar. The problem here is that with an entirely exposed WebUI, people can find out what Russians are downloading.

     

    ttorrent12.png

     

    The average Russian citizen probably won’t mind if outsiders discover their Mortal Kombat habit; they made the decision to download it, so that’s that.

     

    But what if strangers passing by in the night had influence over content consumed locally? What if those strangers decided to utilize their control of an open WebUI to share news from the other side of the world, downloaded directly to their new friend’s Android device?

     

    If they did, it might look a lot like this….

     

    ttorrent13.png

     

     

    A BitTorrent Client WebUI Shouldn’t Be Shared With The Entire Internet


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...