Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
BitTorrent Security Flaw Lets Hackers Take Control of Computers
#1
http://news.softpedia.com/news/bittorren...9392.shtml     BitTorrent Security Flaw Lets Hackers Take Control of Computers

Flaw exists in Transmission app and possibly other clients
Jan 16, 2018 09:34 GMT  ·  By Bogdan Popa ·  Share:      
A major vulnerability in the Transmission BitTorrent app allows hackers to remotely control a vulnerable computer, and Google Project Zero researcher Tavis Ormandy says there’s a good chance the same security flaw exists in other clients as well.

The bug resides in the feature that allows users to control BitTorrent clients from their browsers, and such functionality is available in the majority of apps, including Transmission.

Ormandy says many users run this feature without a password because they believe physical access to the system is required to control it, but a hacker turning to a method called domain name system rebinding can hijack it and in the end get remote control of the computer.

Loading a malicious site that hosts the code needed to exploit the vulnerability is all it takes for a hacker to get access to the system, and right now, it appears that both Google Chrome and Mozilla Firefox on Windows and Linux can be used as part of an attack.

Transmission ignored the private disclosure
The technical analysis of the vulnerability indicates that hackers can change the download directory of torrents and, at the same time, use Transmission to run commands when downloads come to an end.

The worst thing about the vulnerability is that Transmission developers have until now ignored the private disclosure, with Ormandy explaining that he even included a patch to address the flaw when he first contacted the company.

“I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see,,” the Google researcher said.

“I've never had an open source project take this long to fix a vulnerability before, so I usually don't even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we're talking about open source.”

Security flaws discovered as part of the Project Zero program are typically disclosed after 90 days since the first report if the parent company does not issue a patch and sooner if a fix is released. This time, however, Ormandy decided to make the details public after only 40 days following Transmission’s failure to answer his disclosure.

#Google#BitTorrent#Transmission#security flaw#BitTorrent clients
Reply
#2
"Google Project Zero researcher Tavis Ormandy says there’s a good chance the same security flaw exists in other clients as well."

I'm using qbittorrent, I hope this vulnerability is not in qbittorrent. Transmission team should have done better job at fixing it after getting privately disclosed.
Reply
#3
Im using Deluge and QBIT, im waithing that this vulnerability  it's not a problem for me.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  TikTok denies security breach after hackers leak user data, source code tarekma7 0 2,101 09-06-2022 , 10:19 AM
Last Post: tarekma7
  AMD confirms its Windows driver was at the mercy of hackers due to a dozen security mrtrout 0 812 11-14-2021 , 11:58 PM
Last Post: mrtrout
  New macOS zero-day bug lets attackers run commands remotely mrtrout 0 793 09-21-2021 , 09:48 PM
Last Post: mrtrout
  Multiple security flaws let hackers infiltrate D-Link routers Bjyda 0 1,258 12-17-2020 , 10:18 PM
Last Post: Bjyda
  Kremlin hackers are right now exploiting security hole in VMware software to hijack s mrtrout 2 2,073 12-10-2020 , 07:52 AM
Last Post: divinenews



Users browsing this thread: 3 Guest(s)