A vulnerability in the popular BitTorrent Transmission application allows malicious users to remotely control computers running it program. The revelation was made by Google Project Zero researcher Tavis Ormandy who said that there is a possibility that the same security flaw exists in other BitTorrent clients.
The bug is in the feature that allows users to control BitTorrent from their browsers, and this feature is available in most BitTorrent applications that are running.
Ormandy he also says, that many are running the operation without one code πρόσβασης επειδή πιστεύουν ότι απαιτείται φυσική πρόσβαση στο σύστημα από τους hackers. Αν όμως κάποιος που γνωρίζει χρησιμοποιήσει μια μέθοδο attacks called DNS rebinding can take control of the computer running the application.
All it takes is a website that hosts the malicious code needed to exploit the vulnerability. Right now it seems, both Google Chrome and Mozilla Firefox on Windows and Linux can be used for the attack.
Technical analysis of the vulnerability shows that hackers can change the torrents download list and simultaneously use Transmission to run commands when downloads are over.
The worst thing is that Transmission programmers have so far ignored Ormandy who says he has been contacting them for a long time.
Please note that all the security flaws discovered by Project Zero are publicly disclosed 90 days after the company that developed the application. In the event that the company has not released any vulnerability update, Project Zero policy allows the vulnerability to be publicly announced. This time, however, Ormandy decided to publish all the details 40 days after the vulnerability was announced.
But see the following image from the qBitTorrent I use:
And below the web ui of Transmission:
According to the above images, I should mention that BitTorrent clients I know and I have used this feature disabled by default, so the Ormandy rush was probably not needed.
Have you met a client with remote control enabled?