Pirate Bay Browser Streaming Technology Is a Security and Privacy Nightmare (softpedia.com)

← Back to Stories (view on slashdot.org)

Pirate Bay Browser Streaming Technology Is a Security and Privacy Nightmare (softpedia.com)

Posted by timothy on Friday February 12, 2016 @03:05AM from the tradeoffs-abound dept.

An anonymous reader writes: Last week the Pirate Bay added support for streaming video torrents inside the browser in real-time. Kickass Torrents followed the next week. The technology they used is called Torrents Time. A security researcher has discovered that this technology which is a mix of client and server side code is actually a security and user privacy disaster. Attackers can carry out XSS attacks on TPB and KAT, the app runs on Mac as root, attackers can hijack downloads and force malicious code on the user's PC, and advertisers can collect info on any user that has Torrents Time installed.

72 comments

Min score:

Reason:

Sort:

Next on the news... by MitchDev · 2016-02-12 03:07 · Score: 4, Insightful

MPAA and RIAA releases tainted movies and music on torrents themselves...
1. Re:Next on the news... by ickleberry · 2016-02-12 03:10 · Score: 2
  
  RIAA.. now there's a name I havn't heard in a while. Are they still around?
2. Re:Next on the news... by Anonymous Coward · 2016-02-12 03:21 · Score: 1
  
  As long as there are computerless grandmothers out there, they will be watching.
3. Re:Next on the news... by Anonymous Coward · 2016-02-12 03:33 · Score: 0
  
  RIAA.. now there's a name I havn't heard in a while. Are they still around?
  Apparently they finished wanking over Megaupload and IsoHunt dead corpses.
  Which bookmark will I have to switch to a new one tomorrow?
4. Re:Next on the news... by gstoddart · 2016-02-12 03:33 · Score: 4, Informative
  
  You don't need to hear their name, the US government has now been tasked to do this shit on their behalf, they just write the text of the laws and treaties behind the scenes.
  You don't think ICE policing copyright because they're under the control of DHS was an accident, do you?
  Once the agency with the keys to the kingdom polices copyright, you can be more in the background.
  
  --
  Lost at C:>. Found at C.
5. Re:Next on the news... by Shadow+IT+Ninja · 2016-02-12 05:47 · Score: 1
  
  Absolutely. The university where I work just instituted a block on BitTorrent, using a new application firewall, because of increased pressure from the RIAA.
6. Re:Next on the news... by CeasedCaring · 2016-02-12 05:52 · Score: 3, Funny
  
  MPAA and RIAA releases tainted movies and music on torrents themselves...
  Didn't they merge to become MAFIAA (Music And Film Industry Associations of America)?
7. Re:Next on the news... by JustAnotherOldGuy · 2016-02-12 05:53 · Score: 4, Informative
  
  You don't need to hear their name, the US government has now been tasked to do this shit on their behalf, they just write the text of the laws and treaties behind the scenes.
  This is, sadly, an extremely accurate description of how things work now. The corporations provide "advice" and "policy position consulting" in the form of fully-written bills and treaty amendments, and the law makers just staple them into the binder.
  I'm not kidding in the least, this is literally how it woks these days.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
8. Re:Next on the news... by sudon't · 2016-02-12 07:01 · Score: 2
  
  The RIAA performs a very important function - setting the equalization curve for phonograph records. Of course, now that that's done, I suppose they're no longer needed.
  
  --
  -- sudon't
  Air-ride Equipped
9. Re:Next on the news... by guises · 2016-02-12 07:40 · Score: 2
  
  this is literally how it woks these days.
  Look, I get that everyone's tired about the pedantry surrounding that word, but it only stems from the fact people keep abusing it. Just take half a second to think to yourself before you say "literally": is the really true? Is it literally literally? Even if the answer is no, that doesn't have to cripple your argument. There are other perfectly acceptable words which can impart emphasis.
  
  Why would law makers staple bills into a binder? That's not what binders are for. The whole reason you use binder is so that you don't have to staple.
10. Re:Next on the news... by JustAnotherOldGuy · 2016-02-12 08:34 · Score: 1
  
  Actually, that *is* how it works...Senate staffers "request guidance" from industry execs, they write up whatever wet-dream they want for legislation and it is often incorporated *exactly* as written. If you think this isn't how it works, you've not been paying attention. No, not every time, but often.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
11. Re:Next on the news... by Anonymous Coward · 2016-02-12 10:18 · Score: 0
  
  Way to diffuse the real argument by telling the person about how a word literally works and is applied. *slow clap*
12. Re: Next on the news... by Anonymous Coward · 2016-02-12 11:18 · Score: 0
  
  I've been speaking English for more than 50 years. Only illiterates and idiots use literally to mean "not literally".
13. Re:Next on the news... by Rakarra · 2016-02-12 14:56 · Score: 1
  
  this is literally how it woks these days.
  Look, I get that everyone's tired about the pedantry surrounding that word, but it only stems from the fact people keep abusing it. Just take half a second to think to yourself before you say "literally": is the really true? Is it literally literally? Even if the answer is no, that doesn't have to cripple your argument. There are other perfectly acceptable words which can impart emphasis.
  The answer in this case is "yes," it is literally literally true. As in, what the GP said happens is exactly what happens, it's no analogy or exaggeration. It's not 100% true in every single circumstance, but few things ever are.
14. Re:Next on the news... by KGIII · 2016-02-12 16:34 · Score: 1
  
  Funny you mention that. Earlier today, I was sitting around and being pretty lazy (I do this often) and was poking around on my network back home. I was rooting for some pictures to show the missus and I found an old, and I mean old, folder that I'd copied. It was the favorites folder, probably from an old Opera install, sometime around 2002 - according to the dates on the files inside the folder. They were all links to what was once a favored site, obviously.
  I didn't keep track and I've never looked for a way to automate it but it's amazing how many of them are no longer valid links. They're all gone... No, not all. Many are 404 or other errors. Some are just placeholder domains now. A couple still retained a warning about file sharing of copyrighted data and that it was against the law (complete with logo). Some just returned an error page, not even a 404 and the domain had long since expired.
  It's really amazing how much has gone away. It's unfortunate, in a way. Sure, there are new and interesting things but I actually was reminded of some of the content that used to be there (and how much my taste has changed). 'Tis all gone... I'd guess that maybe 3/5 of the links were dead and gone. Probably another 1/5 was there but no longer what was expected or redirected to a the base URL or the likes.
  
  --
  "So long and thanks for all the fish."
Oh dear balls. by Anonymous Coward · 2016-02-12 03:10 · Score: 0

I was about to come in here expecting to have to reply with "oh boy, someone doesn't know how torrents work", but this is an actual bad problem.
How did they manage to fuck that one up?
1. Re:Oh dear balls. by Anonymous Coward · 2016-02-12 03:22 · Score: 0
  
  How did they manage to fuck that one up?
  Even The Pirate Bay itself is quite hacked code.
  Remember that these softwares are made by amateurs who spent their time downloading warez instead of getting proper professional programming education.
2. Re:Oh dear balls. by xvan · 2016-02-12 03:57 · Score: 2
  
  Mr. Sampson discovered that he could open a Torrents Time video player inside this malicious page and serve the user the torrent files they wanted. This could let the user think they're accessing a trustworthy Torrents Time video player, when, in reality, the attacker could be delivering malicious code in the background while the user is watching a movie.
  So this is no different than downloading a torrent from an untrustworthy source... assuming anyone using The Pirate Bay cares about trustworthy sources. To execute the malicious code, you'd need to exploit the media player used by the application/browser.
  
  "XSS on The Pirate Bay and Kickass Torrents"
  So an attacker could theoretically get your pirate bay cookies, oh, the horror.
  
  I still prefer to use qbittorrent and mplayer for "streaming" but I can't see any major fuck up here.
3. Re:Oh dear balls. by tnk1 · 2016-02-12 04:03 · Score: 5, Insightful
  
  Even The Pirate Bay itself is quite hacked code.
  Remember that these softwares are made by amateurs who spent their time downloading warez instead of getting proper professional programming education.
  Actually, I doubt that they lack CS education. What they lack is QA. "Good" developers with educations let this sort of shit through all the time. The businesses who make software actually make an effort to test their software for security and functionality.
  The problem with these guys is that coding is sexy, QA is not.
4. Re:Oh dear balls. by Anonymous Coward · 2016-02-12 04:29 · Score: 1
  
  "The businesses who make software actually make an effort to test their software for security and functionality."
  AHAHAHAHAHAHAHAHAHAHAHAHAHAHA. That's a good one. We'd never have anything to worry about from exploits, viruses, hijackers, malware, bugfests etc if that were true.
  Might as well say it as it is. They did a commercial quality job on their Torrent Time app.
5. Re:Oh dear balls. by Jhon · 2016-02-12 04:59 · Score: 2
  
  "So this is no different than downloading a torrent from an untrustworthy source... assuming anyone using The Pirate Bay cares about trustworthy sources. To execute the malicious code, you'd need to exploit the media player used by the application/browser."
  Actually, I think it is a bit different. Maybe they can exploit media player, or vlc or whatever *IF* it's not updated/patched -- but that's from a maliciously created media file. What bothers me is that there's a browser layer on TOP of that AND a different media player. The exploit doesn't necessarily NEED to be in the media stream.
  It's one thing if I run a torjan'd AVI or something -- it's another if the browser sends a trojan'd AVI I didn't request. I'm sorry, but sketchy ads at a number of torrent sites (including KAT) do enough damage now to people who aren't diligent. How much more damage could those do ALONE and how many other ways can a browser interact with the media player to "break" things in a bad way? What if a malicious ad ends up at legitimate sites (it happens quite a bit)?
6. Re:Oh dear balls. by tnk1 · 2016-02-12 07:11 · Score: 1
  
  I said, "make an effort", I didn't say "entirely succeeded".
  But no, I don't think I'd call the effort on Torrent Time to be the same as decent commercial jobs. There are degrees of failure and it is important to distinguish between them.
7. Re:Oh dear balls. by allo · 2016-02-14 04:37 · Score: 1
  
  There is another positive aspect: "The torrent was downloaded because of XSS" is now an excuse.
So? by Anonymous Coward · 2016-02-12 03:11 · Score: 0

Who expects privacy and security when they use torrents?
1. Re:So? by phishybongwaters · 2016-02-12 03:15 · Score: 1
  
  Morons of course.
2. Re:So? by houghi · 2016-02-12 03:40 · Score: 4, Insightful
  
  Who expects privacy and security when they use Internet ?
  Fixed that for you.
  
  --
  Don't fight for your country, if your country does not fight for you.
3. Re:So? by Anonymous Coward · 2016-02-12 05:20 · Score: 0
  
  Who expects privacy?
  FTFY
"the app runs on Mac as root" by Anonymous Coward · 2016-02-12 03:19 · Score: 4, Funny

This isn't a security issue! Modern app appers know that ONLY apps can app other apps, so if you're apping The Pirate App, then only that app can app your apps!
Apps!
1. Re:"the app runs on Mac as root" by Anonymous Coward · 2016-02-12 03:45 · Score: 0
  
  Only mappers needs maps.
  Maps!
2. Re:"the app runs on Mac as root" by Anonymous Coward · 2016-02-12 03:48 · Score: 0
  
  This isn't a security issue! Modern app appers know that ONLY apps can app other apps, so if you're apping The Pirate App, then only that app can app your apps!
  Apps!
  Yo dawg. I heard you like apps, so I apped your app app.
BEGGARS and THIEVES cannot be CHOOSERS! by Anonymous Coward · 2016-02-12 03:22 · Score: 0

Take what you get and LIKE it. Don't like it? Then keep your panties ON!
I hope they hack Linux and BSD users by Anonymous Coward · 2016-02-12 03:25 · Score: 0, Funny

Serves those filthy pirates right.
1. Re:I hope they hack Linux and BSD users by TechyImmigrant · 2016-02-12 03:46 · Score: 2
  
  There's only a small o between BSD and BSoD.
  
  --
  I should use this sig to advertise my book ISBN-13 : 978-1501515132.
2. Re:I hope they hack Linux and BSD users by Rik+Sweeney · 2016-02-12 04:01 · Score: 5, Funny
  
  That's right! One renders your system inoperable, the other is a Windows fatal system error.
  (ducks)
  
  --
  Summation 2
3. Re:I hope they hack Linux and BSD users by yodleboy · 2016-02-12 04:54 · Score: 1
  
  always when i have no mod points... well played sir!
Active content *is* a priv & sec nightmare by Anonymous Coward · 2016-02-12 03:26 · Score: 1

All lazy web "developers" whose job is slapping together huge javascript frameworks will come at me with frothing mouths, but the truth is that having a client application (the browser) which picks up random executable content off the IntraTubes and executes it in my machine is a *seriously bad idea*. Yeah, yeah. Sandbox my ass.
Heck, I thought we learnt enough from the Word macro viruses in the eighties -- no way.
I, for one, have extirpated Javascript from my browser's default profile (some web sites come up blank. I just ditch those) and disable cookies (there's one site I enable them for *while writing a comment* and then I disable them again and delete them).
That's it. You wanna my eyeballs? You provide something which works reasonably well with *no active content*. In exchange, I won't disable conventional banner ads (some text & png). I might even look at them and *gasp!* click on them if deemed interesting.
1. Re:Active content *is* a priv & sec nightmare by MightyMartian · 2016-02-12 03:28 · Score: 1
  
  Surfing for you must be akin to driving across a dried up lame bed.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
2. Re:Active content *is* a priv & sec nightmare by gstoddart · 2016-02-12 03:39 · Score: 3, Insightful
  
  As long as the dried up lame bed (lake?) has text, we don't give a crap.
  Some of us still prefer to get information in the form of text, and not video ... and animate whirligigs and other crap add nothing to the experience.
  But, really, in terms of not trusting javascript? That really should be common sense by now.
  
  --
  Lost at C:>. Found at C.
3. Re:Active content *is* a priv & sec nightmare by silas_moeckel · 2016-02-12 03:49 · Score: 1
  
  You mean text not some guys talking head youtube vlog crap? It's very simple unless you're mentally deficient or entirely unfamiliar you read far faster than somebody talks. Sure a good visual is great for some subject matter and voiceovers to a video cane be useful but 99% (made up on the spot) it's just an excuse to be cool or avoid actualy formating your thoughts into the written word.
  
  --
  No sir I dont like it.
4. Re:Active content *is* a priv & sec nightmare by Gr8Apes · 2016-02-12 03:52 · Score: 1
  
  I'm with you - I don't have time to sit through a video. I have them disabled. Text and photo is fine.
  
  --
  The cesspool just got a check and balance.
5. Re:Active content *is* a priv & sec nightmare by allo · 2016-02-14 04:41 · Score: 1
  
  Sandboxes do not matter. Most websites won't harm your pc. But why should they? It's enough to XSS your mal and CSRF your online banking.
  Most important stuff is done inside the browser sandbox, not outside.
Shady thevies do shady things to computers by naris · 2016-02-12 03:27 · Score: 3

News at 11!
1. Re:Shady thevies do shady things to computers by Anonymous Coward · 2016-02-12 03:53 · Score: 0
  
  The nightly news starts at 9pm here, not 11
torrent time answer by Anonymous Coward · 2016-02-12 03:34 · Score: 0

the article was updated with torrents time's answer, which is childish at best... they used the word "fun" to describe their app, so i guess sampson is right, even if the TT devs deny all claims.... what a bunch of cry babies... admit you f***ed up and repair your app... there's no shame in that
Laugh by koan · 2016-02-12 03:35 · Score: 2, Interesting

Does anyone consider the fact these sites have been taken down (in some cases more than once) and does anyone consider who may be actually running these sites?

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Laugh by Anonymous Coward · 2016-02-12 03:43 · Score: 0
  
  No, I do however laugh at those that install shady binaries. This isn't browser only, you need a non-open source component installed. Might as well take money from the Kaitempi.
2. Re:Laugh by Gravis+Zero · 2016-02-12 04:16 · Score: 1
  
  I've always assumed the internet cats run the internet. How else do you explain the number of cat videos on youtube?!
  
  --
  Anons need not reply. Questions end with a question mark.
3. Re:Laugh by Anonymous Coward · 2016-02-12 04:20 · Score: 0
  
  Yeah, I went to have a look at this on TPB after the previous story, but when I saw how it worked, I was like umm, nope. I was expecting something entirely browser-based.
4. Re:Laugh by Anonymous Coward · 2016-02-12 05:23 · Score: 0
  
  The Pirate Bay has a pretty good track record.
  As opposed to companies like Sony and the guys at RIAA, TPB isn't particularly known for spreading malware.
  As for open source it only matters if you verify the source and compile it yourself. If you use anything pre-compiled like Ubuntu or Debian you still rely on possibly shady binaries.
5. Re:Laugh by DrXym · 2016-02-12 06:03 · Score: 1
  
  Does anyone consider the fact these sites have been taken down (in some cases more than once) and does anyone consider who may be actually running these sites?
  People who like making money. The site exists because it gets a lot of eyeballs and they sell advertising space. And they don't particularly care what kind of advertising they're hosting which is why most of it is malicious (malware, trojans etc.) or a scam of one kind of another.
Rome was not build in one day by Trachman · 2016-02-12 03:39 · Score: 2

The same with software or new technology.
Sooner or later safe and secure versions of Torrent Time (or equivalent) will appear which will allow the use of functionality without compromising security.
1. Re:Rome was not build in one day by xvan · 2016-02-12 04:01 · Score: 1
  
  You don't need them, just a torrent client that supports sequential download, and a player that supports incomplete files.
  The convenience is not worth the risk in this case
2. Re:Rome was not build in one day by wonkey_monkey · 2016-02-12 04:10 · Score: 3, Interesting
  
  Or just have some patience. Bloody kids.
  When I were a lad, it took days to download a 700mb Xvid DVD rip at 640x360 resolution. And we felt blessed.
  A couple of hours to download a 1080p MKV with 5.1 sound? Luxury!
  
  --
  systemd is Roko's Basilisk.
3. Re:Rome was not build in one day by Anonymous Coward · 2016-02-12 04:27 · Score: 0
  
  I can't remember the last time a torrent took more than 20 minutes. Usually more like 5 if it's popular. Also, sequentially downloading torrents is a dick move.
4. Re:Rome was not build in one day by Anonymous Coward · 2016-02-12 05:07 · Score: 0
  
  Damn striaght
5. Re:Rome was not build in one day by NotInHere · 2016-02-12 06:03 · Score: 1
  
  Well in fact I wonder why they even require downloading a binary at all. Right now it seems they implement the functionality using a plugin, which is basically cheating. But modern browsers (such as chrome or firefox) support WebRTC which allows one to send data between connecting browsers through P2P. So only thing you would require to build a streaming torrent site in the browser is a bit of javascript and some code to re-assemble the stream on the client side. But yeah, I guess they make more money by having the user download and execute a file they have to trust first.
6. Re:Rome was not build in one day by thygate · 2016-02-12 07:47 · Score: 1
  
  wouldn't that be XSS and thus not allowed by JS ?
7. Re:Rome was not build in one day by NotInHere · 2016-02-12 10:44 · Score: 1
  
  The actual payload won't be exchanged the "direct" way, involving communication over port 80 or 443, but instead it will be communicated via WebRTC js APIs. They allow for P2P communication if the website authorizes it.
  SOP doesn't really affect this.
OMG this newspeak again by Anonymous Coward · 2016-02-12 05:15 · Score: 0

TPB are copyrgiht infrngeirs, not thevies.
1. Re:OMG this newspeak again by Anonymous Coward · 2016-02-12 06:24 · Score: 0
  
  TPB are copyrgiht infrngeirs, not thevies.
  Nope. According to the judge they are only assisting copyright infringement, not actually committing it.
Sure, okay by Anonymous Coward · 2016-02-12 05:25 · Score: 0

But at the same time you're getting to watch entire seasons of Reno 911 for free, so it's all worth it.
Par for the course by DrXym · 2016-02-12 05:55 · Score: 1

If someone is stupid enough to install and run software supplied by a piracy website then they deserve everything you get. Even if the TPB isn't being malicious intentionally, I'm sure one of their skeezy malvertising partners won't have qualms about exploiting users.
1. Re:Par for the course by DrXym · 2016-02-12 05:56 · Score: 1
  
  you == they. Must learn to proofread.
2. Re:Par for the course by Anonymous Coward · 2016-02-12 09:49 · Score: 0
  
  This is actually not a real issue, anyone that pirates this kind of stuff knows the danger so they use a single purpose PC that can be reloaded to a pristine state every couple of days.
3. Re:Par for the course by DrXym · 2016-02-12 10:10 · Score: 1
  
  If they knew then there would be no market for this software or earlier examples like PirateBrowser. Clearly some people don't know.
Wrong again by Anonymous Coward · 2016-02-12 11:08 · Score: 0

They are not responsible for anyone sharing anything, as they do not personally transfer any files listed.
TPB is simply a directory listing for bit torrent.
Nice try, MPAA by Dominare · 2016-02-12 11:25 · Score: 1

"An anonymous reader writes..."
Suuuuuure. Is this like when they said copied VHS tapes would break your player?
Security Alert! by CanEHdian · 2016-02-12 15:16 · Score: 1

It's even worst than we could ever have imagined. According to security researcher Chros Didd of the American Association for Prevention of Malware (AAPM), actually ANY pirated Hollywood movie (1) puts your computer at great risk of hackers, (2) funds terrorism and (3) aids and abets child molestation and exploitation.

--
When the copyright term is "forever minus a day", live every day like it's the last.
Of course it is, it's a native code plugin by Punto · 2016-02-13 08:03 · Score: 2

The only reason why this is so "surprising" now is because it was so badly reported in the first place. Originally the announcements made it sound like it's an HTML5 replacement for the bittorrent client, which used to be a separate application from the browser, kinda like Google Docs replaced Word. That's not what it is, this is a native code plugin. When you download it, you get a huge binary file and a .so (on linux, on windows I assume it'll be dlls). This will run native code directly on your cpu with no sandbox from the browser, it's literally like downloading a random executable from the internet and running it, no different from running a standalone bittorrent client.
The question is, would it be possible to write an actual bittorrent client using only apis provided by the browser? Scripts can use "websockets", but can they open them cross-site? And can the bittorrent protocol be modified to accept websockets? That would be an actual breakthrough, bittorrent has become practically unusable because of all the crapware that surrounds it.

--
--
Stay tuned for some shock and awe coming right up after this messages!