BitTorrent Security Flaw Lets Hackers Take Control of Computers

[WALLONN7]

Flaw exists in Transmission app and possibly other clients

 

A major vulnerability in the Transmission BitTorrent app allows hackers to remotely control a vulnerable computer, and Google Project Zero researcher Tavis Ormandy says there’s a good chance the same security flaw exists in other clients as well.

The bug resides in the feature that allows users to control BitTorrent clients from their browsers, and such functionality is available in the majority of apps, including Transmission.

Ormandy says many users run this feature without a password because they believe physical access to the system is required to control it, but a hacker turning to a method called domain name system rebinding can hijack it and in the end get remote control of the computer.

Loading a malicious site that hosts the code needed to exploit the vulnerability is all it takes for a hacker to get access to the system, and right now, it appears that both Google Chrome and Mozilla Firefox on Windows and Linux can be used as part of an attack.

 

Transmission ignored the private disclosure

 

The technical analysis of the vulnerability indicates that hackers can change the download directory of torrents and, at the same time, use Transmission to run commands when downloads come to an end.

The worst thing about the vulnerability is that Transmission developers have until now ignored the private disclosure, with Ormandy explaining that he even included a patch to address the flaw when he first contacted the company.

“I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see,,” the Google researcher said.

“I've never had an open source project take this long to fix a vulnerability before, so I usually don't even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we're talking about open source.”

Security flaws discovered as part of the Project Zero program are typically disclosed after 90 days since the first report if the parent company does not issue a patch and sooner if a fix is released. This time, however, Ormandy decided to make the details public after only 40 days following Transmission’s failure to answer his disclosure.

 

Source

[steven36]

This is  just in  the daemon version /web version  that has remote  on by default or maybe if you have turned remote on  and made yourself  vulnerable.

Quote

 slokhorst commented 7 hours ago
@yanosh-k I believe remote access is disabled by default in all clients (Qt, GTK+, macOS). I think it's only enabled by default in the daemon (obviously...)

You can check if your vulnerable by going to http://localhost:9091/ If you then see the Transmission web interface, you're vulnerable.

https://github.com/transmission/transmission/pull/468#issuecomment-357923483

 

When they started making web versions of Torrent clients i knew it was not safe  and never use them , unless  it's a leccher that  uploads the file to there site for you and download  or stream with 3rd party software.

[Katzenfreund]

In honesty, I didn't know that a torrent client could be controlled  from a browser, and now I wonder what would be the point of such control, since any decent client would have more torrenting facilities than a browser intended mainly for surfing.

 

Some people may think that torrenting with a browser could make use of a VPN included in the browser.  But tests I have seen show that the torrent doesn't go thru the VPN. Thus, one might falsely feel protected from monitoring and end up in trouble. A false sense of security is worse than no security at all.