Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pirate Bay Browser Streaming Technology Is a Security and Privacy Nightmare (softpedia.com)

Posted by timothy on from the tradeoffs-abound dept.

An anonymous reader writes: Last week the Pirate Bay added support for streaming video torrents inside the browser in real-time. Kickass Torrents followed the next week. The technology they used is called Torrents Time. A security researcher has discovered that this technology which is a mix of client and server side code is actually a security and user privacy disaster. Attackers can carry out XSS attacks on TPB and KAT, the app runs on Mac as root, attackers can hijack downloads and force malicious code on the user's PC, and advertisers can collect info on any user that has Torrents Time installed.

20 of 72 comments (clear)

  1. Next on the news... by MitchDev · · Score: 4, Insightful

    MPAA and RIAA releases tainted movies and music on torrents themselves...

    1. Re:Next on the news... by ickleberry · · Score: 2

      RIAA.. now there's a name I havn't heard in a while. Are they still around?

    2. Re:Next on the news... by gstoddart · · Score: 4, Informative

      You don't need to hear their name, the US government has now been tasked to do this shit on their behalf, they just write the text of the laws and treaties behind the scenes.

      You don't think ICE policing copyright because they're under the control of DHS was an accident, do you?

      Once the agency with the keys to the kingdom polices copyright, you can be more in the background.

      --
      Lost at C:>. Found at C.
    3. Re:Next on the news... by CeasedCaring · · Score: 3, Funny

      MPAA and RIAA releases tainted movies and music on torrents themselves...

      Didn't they merge to become MAFIAA (Music And Film Industry Associations of America)?

    4. Re:Next on the news... by JustAnotherOldGuy · · Score: 4, Informative

      You don't need to hear their name, the US government has now been tasked to do this shit on their behalf, they just write the text of the laws and treaties behind the scenes.

      This is, sadly, an extremely accurate description of how things work now. The corporations provide "advice" and "policy position consulting" in the form of fully-written bills and treaty amendments, and the law makers just staple them into the binder.

      I'm not kidding in the least, this is literally how it woks these days.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    5. Re:Next on the news... by sudon't · · Score: 2

      The RIAA performs a very important function - setting the equalization curve for phonograph records. Of course, now that that's done, I suppose they're no longer needed.

      --
      -- sudon't

      Air-ride Equipped

    6. Re:Next on the news... by guises · · Score: 2

      this is literally how it woks these days.

      Look, I get that everyone's tired about the pedantry surrounding that word, but it only stems from the fact people keep abusing it. Just take half a second to think to yourself before you say "literally": is the really true? Is it literally literally? Even if the answer is no, that doesn't have to cripple your argument. There are other perfectly acceptable words which can impart emphasis.

      Why would law makers staple bills into a binder? That's not what binders are for. The whole reason you use binder is so that you don't have to staple.

  2. "the app runs on Mac as root" by Anonymous Coward · · Score: 4, Funny

    This isn't a security issue! Modern app appers know that ONLY apps can app other apps, so if you're apping The Pirate App, then only that app can app your apps!

    Apps!

  3. Shady thevies do shady things to computers by naris · · Score: 3

    News at 11!

  4. Laugh by koan · · Score: 2, Interesting

    Does anyone consider the fact these sites have been taken down (in some cases more than once) and does anyone consider who may be actually running these sites?

    --
    "If any question why we died, Tell them because our fathers lied."
  5. Re:Active content *is* a priv & sec nightmare by gstoddart · · Score: 3, Insightful

    As long as the dried up lame bed (lake?) has text, we don't give a crap.

    Some of us still prefer to get information in the form of text, and not video ... and animate whirligigs and other crap add nothing to the experience.

    But, really, in terms of not trusting javascript? That really should be common sense by now.

    --
    Lost at C:>. Found at C.
  6. Rome was not build in one day by Trachman · · Score: 2

    The same with software or new technology.

    Sooner or later safe and secure versions of Torrent Time (or equivalent) will appear which will allow the use of functionality without compromising security.

    1. Re:Rome was not build in one day by wonkey_monkey · · Score: 3, Interesting

      Or just have some patience. Bloody kids.

      When I were a lad, it took days to download a 700mb Xvid DVD rip at 640x360 resolution. And we felt blessed.

      A couple of hours to download a 1080p MKV with 5.1 sound? Luxury!

      --
      systemd is Roko's Basilisk.
  7. Re:So? by houghi · · Score: 4, Insightful

    Who expects privacy and security when they use Internet ?

    Fixed that for you.

    --
    Don't fight for your country, if your country does not fight for you.
  8. Re:I hope they hack Linux and BSD users by TechyImmigrant · · Score: 2

    There's only a small o between BSD and BSoD.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  9. Re:Oh dear balls. by xvan · · Score: 2

    Mr. Sampson discovered that he could open a Torrents Time video player inside this malicious page and serve the user the torrent files they wanted. This could let the user think they're accessing a trustworthy Torrents Time video player, when, in reality, the attacker could be delivering malicious code in the background while the user is watching a movie.

    So this is no different than downloading a torrent from an untrustworthy source... assuming anyone using The Pirate Bay cares about trustworthy sources. To execute the malicious code, you'd need to exploit the media player used by the application/browser.

    "XSS on The Pirate Bay and Kickass Torrents"

    So an attacker could theoretically get your pirate bay cookies, oh, the horror.

    I still prefer to use qbittorrent and mplayer for "streaming" but I can't see any major fuck up here.

  10. Re:I hope they hack Linux and BSD users by Rik+Sweeney · · Score: 5, Funny

    That's right! One renders your system inoperable, the other is a Windows fatal system error.

    (ducks)

    --
    Summation 2
  11. Re:Oh dear balls. by tnk1 · · Score: 5, Insightful

    Even The Pirate Bay itself is quite hacked code.

    Remember that these softwares are made by amateurs who spent their time downloading warez instead of getting proper professional programming education.

    Actually, I doubt that they lack CS education. What they lack is QA. "Good" developers with educations let this sort of shit through all the time. The businesses who make software actually make an effort to test their software for security and functionality.

    The problem with these guys is that coding is sexy, QA is not.

  12. Re:Oh dear balls. by Jhon · · Score: 2

    "So this is no different than downloading a torrent from an untrustworthy source... assuming anyone using The Pirate Bay cares about trustworthy sources. To execute the malicious code, you'd need to exploit the media player used by the application/browser."

    Actually, I think it is a bit different. Maybe they can exploit media player, or vlc or whatever *IF* it's not updated/patched -- but that's from a maliciously created media file. What bothers me is that there's a browser layer on TOP of that AND a different media player. The exploit doesn't necessarily NEED to be in the media stream.

    It's one thing if I run a torjan'd AVI or something -- it's another if the browser sends a trojan'd AVI I didn't request. I'm sorry, but sketchy ads at a number of torrent sites (including KAT) do enough damage now to people who aren't diligent. How much more damage could those do ALONE and how many other ways can a browser interact with the media player to "break" things in a bad way? What if a malicious ad ends up at legitimate sites (it happens quite a bit)?

  13. Of course it is, it's a native code plugin by Punto · · Score: 2

    The only reason why this is so "surprising" now is because it was so badly reported in the first place. Originally the announcements made it sound like it's an HTML5 replacement for the bittorrent client, which used to be a separate application from the browser, kinda like Google Docs replaced Word. That's not what it is, this is a native code plugin. When you download it, you get a huge binary file and a .so (on linux, on windows I assume it'll be dlls). This will run native code directly on your cpu with no sandbox from the browser, it's literally like downloading a random executable from the internet and running it, no different from running a standalone bittorrent client.

    The question is, would it be possible to write an actual bittorrent client using only apis provided by the browser? Scripts can use "websockets", but can they open them cross-site? And can the bittorrent protocol be modified to accept websockets? That would be an actual breakthrough, bittorrent has become practically unusable because of all the crapware that surrounds it.

    --

    --
    Stay tuned for some shock and awe coming right up after this messages!