A vulnerability in the popular BitTorrent Transmission application allows malicious users to remotely control computers running the program. The disclosure was made by Google Project Zero researcher Tavis Ormandy, who said there may be the same security flaw in other BitTorrent clients.
The bug is in the feature that allows users to control BitTorrent from their browsers, and this feature is available in most BitTorrent applications that are running.
Ormandy he also says, that many are running the feature without a password because they believe it is required physics access to the system by hackers. But if someone in the know uses an attack method called DNS rebinding they can take control of the computer running the application.
All you need is a website that hosts the malicious code needed to exploit the vulnerability. At the moment, it seems that both Google Chrome and Mozilla Firefox on Windows and Linux can be used to attack.
The technique analysis of the vulnerability shows that hackers can change the download list of torrents and simultaneously use Transmission to run commands when downloads finish.
The worst thing is that Transmission programmers have so far ignored Ormandy who says he has been contacting them for a long time.
Please note that all the security flaws discovered by Project Zero are publicly disclosed 90 days after the company that developed the application. In the event that the company has not released any vulnerability update, Project Zero policy allows the vulnerability to be publicly announced. This time, however, Ormandy decided to publish all the details 40 days after the vulnerability was announced.
But see it below picture from qBitTorrent I use:
And below the web ui of Transmission:
According to the above images, I should mention that BitTorrent clients I know and I have used this feature disabled by default, so the Ormandy rush was probably not needed.
You have encountered a client with it activated remote control;