Bittorrent (Transmission) Client vulnerability.
#1
Pirates are victimized too.

https://arstechnica.com/information-tech...-computer/

** note: the writer uses "bittorrent" rather loosely. I'm sure he meant "torrent" users, period.

Quote:There's a critical weakness in the widely used Transmission BitTorrent app that allows websites to execute malicious code on some users' computers. That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.
...
Attackers can exploit the flaw by creating a DNS name they are authorized to communicate with and then making it resolve to the localhost name of the vulnerable computer
...
A Transmission development official told Ars that he expected an official fix to be released "ASAP" but was not specific. He said the vulnerability was present only when users enabled remote access and disabled password protection. He said people who run the unpatched version of Transmission as a daemon should ensure they have enabled password protection.


SectorVector edited Jan 18, 2018 10:18 am this post because:

Quoted few lines from article for context. Titled edited.

Reply
#2
That wasn't about bittorrent, which btw isn't a client, but about Transmission.

And it's possible that it's true, but I'm not 100% sure it is.
Reply
#3
Why would a hacker attack a torrentor?
Well, we are sailors, and so is him. This sea is full of fish - shark included!
Reply
#4
joew771That wasn't about bittorrent, which btw isn't a client, but about Transmission.

And it's possible that it's true, but I'm not 100% sure it is.

Seriously? Did you read the whole article?
Who said it was about BiTTorrent?
Not I and most certainly not the Author.
Reply
#5
Yeah. I wasn't paying much attention. But it still isn't 100% true. Or probably even 90%.
Reply
#6
* Just FYI, There is a torrent client named after the protocol "BitTorrent" which is developed by the "BitTorrent, Inc." it is the official client.

You can now safely continue your discussion.

Quote:...That's according to a researcher with Google's Project Zero vulnerability reporting team, who also warns that other BitTorrent clients are likely similarly susceptible.

Clearly they are talking about the protocol.
Reply
#7
Excerpt from the article:

...exploits a Transmission function that allows users to control the BitTorrent app with their Web browser.
...the Transmission interface can be remotely controlled when a vulnerable user visits a malicious site.


Thats why I never enabled/used the web interface anyway (sigh) - Shut web control off and set a huge password just for it then forget it! Sad

...Transmission [client], the BitTorrent [protocol] app [referring to the previous], and a web browser... *[notes by me]

It may apply to other clients without "out of ordinary" tweaks, like the BitComet team's. But if they avoided it, I guess it was unintentional, with other objectives.

Very dangerous in the wrong ("they") hands.
Reply
#8
It appears to be a flaw in the Transmission RPC protocol and hence that client, not the Bittorrent protocol.

Any other client with a similar architecture would perhaps be prone to this vulnerability ('DNS rebinding').
That is perhaps what the 'Google researcher' refers to.

The devil is in the details.

The important thing is, the problem status is shown as 'Fixed' on Jan 11 2018.
So, this is one week old, but still news.

A bug fix is available via here

The problem in Transmission client itself has been described clearly in Taviso's post, linked in the arstechnica article. That needs careful study.

At any rate the matter appears to have been solved.

Don't Panic Tongue

Ref: Transmission client architecture -- https://github.com/transmission/transmis...chitecture
Reply
#9
(Jan 18, 2018, 13:40 pm)SectorVector Wrote: The important thing is, the problem status is shown as 'Fixed' on Jan 11 2018.
So, this is one week old, but still news.
...
Don't Panic Tongue

Thanks for info.  Feel better, even if I use other client.  It's the "frequent updates" era...
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Remote Bittorrent not working surferbroadband 0 4,742 Mar 31, 2023, 00:03 am
Last Post: surferbroadband
  BitTorrent v2 Matthew 5 11,988 Jan 13, 2022, 19:04 pm
Last Post: Matthew
  Anyone use Transmission to create torrents? LadyAnn2 5 15,782 Aug 29, 2021, 19:42 pm
Last Post: LadyAnn2
  new owner of BitTorrent WW3hasstarted 1 10,685 Oct 29, 2020, 06:39 am
Last Post: dueda
  BitTorrent V2 coming soon WW3hasstarted 0 7,990 Oct 12, 2020, 09:45 am
Last Post: WW3hasstarted



Users browsing this thread: 1 Guest(s)