BitTorrent is one widely used Transmission app that is used for transferring large files, such as digital video files containing TV shows/movies or video clips or digital audio files containing songs. It remains a prime source of entertainment for a large chunk of people using the web. But recently, Google’s Project Zero team discovered a “critical flaw” in the BitTorrent app that could allow hackers to remotely execute malicious code on BitTorrent users’ computers and take control of them.
According to Tavis Ormandy, the security researcher who uncovered the flaw, the flaw is present in transmission function, which allows users to control the BitTorrent app from their web browser. He also warned that BitTorrent clients are also susceptible to the flaw. On Monday, he tweeted about the flaw as:
First of a few remote code execution flaws in various popular torrent clients, here is a DNS rebinding vulnerability Transmission, resulting in arbitrary remote code execution. https://t.co/kAv9eWfXlG
— Tavis Ormandy (@taviso) January 11, 2018
According to Ormandy’s proof-of-attack, using a hacking technique known as Domain Name System rebinding, the Transmission interface can be remotely controlled when a vulnerable user visits a malicious site. Ormandy states that this flaw works on popular web browsers such as Chrome and Firefox, and is applicable to both Windows and Linux.
As per his exploit, attackers can take control of users’ systems by creating a DNS name they are authorized to communicate with and then making it resolve to the local hostname of the vulnerable computer.
Last week, the Project Zero researchers published the proof-of-concept attack code. It’s worth noting that Project Zero normally refrains itself from making the details of such flaws public for 90 days or until the fix is released. However, in this case, the flaw was made public only 40 days after the initial report.
Ormandy and Google’s Project Zero were forced to go public with details about the flaw because BitTorrent’s transmission developers have apparently failed to patch it, despite being notified more than 40 days ago.
“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently.” Ormandy wrote in his report.
A fix is expected to be released as soon as possible, a development official with Transmission told ArsTechnica. However, no specific date was given.