TORRENTING SERVICE uTorrent is urging users to upgrade to the latest version of its file-sharing service after its client fell foul to server security flaws.
Google's Project Zero security bug sniffer Travis Ormandy discovered multiple holes in the uTorrent client for web and desktop that would have allowed hackers to infect a victims computer with malware or steal data relating to their past downloads.
The crux of the bugs lies in both uTorrent clients exposing an open Remote Procedure Call (RPC) server - such servers are used by programs to request a service from another located on a computer on a different network without the need to understand the network details. Ormandy said hackers can hide commands for the RPC server in web pages and simply need to trick a uTorrent user into accessing the malicious web page.
"By default, uTorrent create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). There are numerous problems with these RPC servers that can be exploited by any website using XMLHTTPRequest(). To be clear, visiting *any* website is enough to compromise these applications," he explained.
As Ormandy disclosed the vulnerabilities to BitTorrent, the firm behind uTorrent, in December, the company had plenty of time to create patches to plug the security holes.
Version 188.8.131.52352 for uTorrent Classic, the desktop client, is said to have squashed the bugs, while version 0.12.0.502 for uTorrent Web fixes the flaws.
However, Ormandy wasn't convinced uTorrent Web was properly secured with the update, and thus released his bug findings online.
"The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway," Ormandy said.
"I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch. We've done all we can to give BitTorrent adequate time, information and feedback, and the issue remains unsolved."
But BitTorrent said it should have all the bugs Ormandy was worried about squashed this week.
"All users will be updated with the fix automatically over the following days. The nature of the exploit is such that an attacker could craft a URL that would cause actions to trigger in the client without the user's consent (e.g. adding a torrent)," said Dave Rees, BitTorrent's vice president of engineering told The Register.
Unfortunately, uTorrent is no stranger to security flaws have seen its forum hacked leading to 35,000 accounts getting compromised. µ
It's the week in Google news
Erik Estrada wouldn't have stood for this
Hacks in support of WikiLeaks founder target gov websites