uTorrent Is Vulnerable to Security Bugs That Let Malicious Websites Control Your Computer

Author Photo
Feb 21, 2018

One of the most used BitTorrent apps, uTorrent, is vulnerable to security bugs that can enable attackers to take control of your machines and execute code. Multiple flaws have been reported affecting the uTorrent web and desktop client by a Google Project Zero security researcher.

Tavis Ormandy, who’s become a regular name in the bug discovery world, revealed that one of the most widely used torrent app has some easy-to-exploit vulnerabilities that can be used to execute code and snoop on target’s download history. The bugs impact both the new uTorrent Web, a new web-based version of the uTorrent BitTorrent client, and uTorrent Classic, the old client that most people know and use. Both of these clients are exposing RPC server on port 10000 (uTorrent Classic) and 19575 (uTorrent Web).

bittorrent-hack-securityRelatedBitTorrent Forum Hack Exposed User Passwords, Email and IP Addresses

To be clear, visiting *any* website is enough to compromise these applications.

Web pages that interact with this exposed server can be used by attackers to hide commands. Then all the attacker needs to do is to lead the target to a malicious web page to infect their machine and collect their information. Ormandy said that the bugs exploit “domain name system rebinding” to make an untrusted domain resolve to the local IP address of the computer that is running a vulnerable uTorrent app. This technique allows JavaScript code hosted on a website to create a bridge to the local network, bypassing the same-origin policy (SOP).

He noted that the uTorrent web is the worst affected where attackers can download malware on target computer and change the default download folder location to something like the startup folder to make sure the malicious file is loaded the next time system boots up.

BitTorrent failed to fix uTorrent bugs even after 90 days

The bugs were first disclosed to the company on November 27 and made public after the 90-days disclosure deadline. BitTorrent, the developer of the uTorrent apps, claims that the bugs have now been fixed in a beta release of the uTorrent Windows desktop app. If you are unable to install the latest version, it is advised that you stop using uTorrent Windows desktop app and uTorrent Web since there is no mitigation advice available. The fixed versions include: