uTorrent bug allows websites to spy on PC and steal downloaded files

by Julie Splinters - - 2018-02-25

Google researcher uncovered another uTorrent bug allowing hackers to spread malware

uTorrent vulnerability allows hackers to steal downloaded data

Google’s Google Project Zero^[1] researcher Tavis Ormandy discovered a severe remote code execution^[2] bug in uTorrent Web, which will enable hackers to disseminate malware via hacked software on malicious websites. Hackers exploited a way to steal uTorrent’s authentication tokens and take complete control over the service.

Initially, this problem had been reported in December,^[3] except that it touched BitTorrent and uTorrent Classic. Then Ormandy warned clients that the vulnerability might allow hackers to infect websites from which torrents are downloaded and, therefore, allow them to see what software you tend to download. He pointed out that:

Once you have the secret, you can just change the directory torrents are saved to, and then download any file anywhere.

Cybercriminals found a way to steal tokens via torrent websites loaded over a web browser. This way they manage to steal the authentication token and may take full control over uTorrent service.

By default, uTorrent Web create an HTTP RPC server on port 10000 (uTorrent classic) or 19575 (uTorrent web). However, experts have found multiple flaws in the RPC server, which allows hackers to exploit any data using XMLHTTPRequest(). In other words, visiting practically any website can end up with software corruption and malware injection.

The flaw allows hackers to inject malware into Windows startup folder

uTorrent Web uses a web interface.^[4] Thus, in comparison to desktop apps, the service is controlled by a browser. Besides, the uTorrent web is configured to start along with the Window OS. This grants the service to be running and accessible all the time.

Once crooks steal the authentication token, they generate a random one and inject it in a configuration file, which must pass all URL parameter requirements. After the hack, the hijacked uTorrent Web server’s icon o will generate a browser window with the controlled client. This way, website’s owner or manager can give the software a command to download a severe infection, which is installed straight to the Windows startup.

BitTorrent has already patched the vulnerability

BitTorrent has already released an official patch build 0.12.0.502 for uTorrent Web bug. All clients can download it via the official uTorrent website or uTorrent app.

As pointed out by one of the uTorrent server’s engineers David Rees,^[5] “BitTorrent expects to have built fixes to all reported vulnerabilities available to customers within the next 24 hours.” Nevertheless, it’s important to keep a professional anti-malware enabled to minimize the risk of malware infection.

Before the patch is fully adopted by all uTorrent Web clients, it’s advisable to restrain from downloading torrents via the server.

About the author

Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions

References

^ Remote Code Execution Vulnerability in Electron Apps. Hackernoon. Tech news articles.
^ Andy Weir. uTorrent is moving to your web browser with its next major update. Neowin. Deep community of IT professionals.
^ Ros Mckillop. How to access uTorrent from a remote PC. Simple Help. Common questons, simple answers.
^ Ryan Whitwam. BitTorrent Rolls Out Questionable uTorrent Security Patch At The Last Minute. Extreme Tech. information on technology.
^ Project Zero. Google Project Zero Blog.