Tavis Ormandy, a vulnerability researcher at Google and a part of Google Project Zero, a team of security analysts specializing in finding zero-day vulnerabilities, revealed on Wednesday a vulnerability in BitTorrent’s uTorrent Windows and web client that allows hackers to either plant malware on the user’s computer or see their download activity.
Google Project Zero published their research once the 90-day window that it gave to uTorrent to fix the flaw before publicly disclosing it was over.
According to Ormandy, the flaws are easy to exploit and make it possible for hackers to remotely access downloaded files or download malware on their computers using the random token generated upon authentication.
He reported on Twitter that the initial fix that BitTorrent rolled out seemed to only generate a second token, which did not fix the flaw and said, “you just have to fetch that token as well.”
BitTorrent issued a statement on Wednesday regarding the issue:
Google Project Zero published their research once the 90-day window that it gave to uTorrent to fix the flaw before publicly disclosing it was over.
According to Ormandy, the flaws are easy to exploit and make it possible for hackers to remotely access downloaded files or download malware on their computers using the random token generated upon authentication.
He reported on Twitter that the initial fix that BitTorrent rolled out seemed to only generate a second token, which did not fix the flaw and said, “you just have to fetch that token as well.”
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit. 😩— Tavis Ormandy (@taviso) February 20, 2018
BitTorrent issued a statement on Wednesday regarding the issue:
On December 4, 2017, we were made aware of several vulnerabilities in the uTorrent and BitTorrent Windows desktop clients. We began work immediately to address the issue. Our fix is complete and is available in the most recent beta release (build 3.5.3.44352 released on 16 Feb 2018). This week, we will begin to deliver it to our installed base of users. All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user’s consent (e.g. adding a torrent).