Slashdot Mirror

← Back to Stories (view on slashdot.org)

uTorrent Client Affected by Some Pretty Severe Security Flaws (bleepingcomputer.com)

Posted by msmash on from the security-woes dept.

A Google security researcher has found multiple security flaws affecting the uTorrent web and desktop client that allow an attacker to infect a victim with malware or collect data on the users' past downloads, reports BleepingComputer. From the report: The vulnerabilities have been discovered by Google Project Zero security researcher Tavis Ormandy, and they impact uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old uTorrent client that most people know. Ormandy says that both uTorrent clients are exposing an RPC server -- on port 10000 (uTorrent Classic) and 19575 (uTorrent Web). The expert says that attackers can hide commands inside web pages that interact with this open RPC server. The attacker only needs to trick a user with a vulnerable uTorrent client to access a malicious web page. Furthermore, the uTorrent clients are also vulnerable to DNS rebinding -- a vulnerability that allows the attacker to legitimize his requests to the RPC server.

10 of 95 comments (clear)

  1. Who still uses it? by Anonymous Coward · · Score: 2, Insightful

    i thought people stopped using it once it started showing advertisements?

    1. Re:Who still uses it? by Anonymous Coward · · Score: 2, Insightful

      I still use the old v2.x uTorrent. The article doesn't state which versions are vulnerable, but I doubt mine is because it's from before they started piling on a bunch of worthless bloatware "features".

    2. Re:Who still uses it? by SeaFox · · Score: 5, Funny

      Still shows up as the top downloaded BitTorrent client on CNET and Softpedia

      I thought people stopped using CNET once it started bundling adware?

    3. Re:Who still uses it? by youngone · · Score: 2, Informative

      Or just switch one of the many better torrent clients available like everyone else.

  2. Really classic uT doesn't seem to be vulnerable by Artem+S.+Tashkinov · · Score: 5, Informative

    Just tested the sample exploits against uTorrent 2.2.1 build 25302 - none has worked.

    1. Re:Really classic uT doesn't seem to be vulnerable by Artem+S.+Tashkinov · · Score: 2

      Another reporter is confirming my findings: very old uTorrent clients (3.0) are not susceptible to these attacks.

    2. Re:Really classic uT doesn't seem to be vulnerable by Tokolosh · · Score: 2

      My build 25273:

      Trigger crash: nothing
      Pairing request: popup with request, can deny or accept. If denied, nothing
      PIN request: same as pairing request
      Device transfer: nothing

      Connected to PIA VPN, if that is relevant.

      --
      Prove anything by multiplying Huge Number times Tiny Number
  3. Transmission by Dwedit · · Score: 2

    Makes me glad I switched to Transmission, no BS there, just a simple torrent client.

  4. qbitorrent ? by echostorm · · Score: 2

    I thought most everyone switched to qbitorrent years ago when they started showing ads and other strange things. My main tracker doesn't even allow Utorrent anymore. I'm guessing q isn't affected by this?

  5. Use qBittorrent by Jahoda · · Score: 4, Insightful

    uBittorent was nerfed and winamped years ago. qBittorent has taken its place as lightweight, clean, and reliable.