A Bittorrent Bug Makes Linux and Windows Devices Vulnerable to Hacking
A critical flaw in Transmission BitTorrent application has been identified by an IT security researcher, Tavis Ormandy.
Tavis, who is currently working on Google’s Project Zero, has also indicated that the flaw would enable attackers to gain complete control of a target computer if it is running Windows or Linux operating systems.
The researcher cautioned that the flaw (CVE-2018-5702) is contained in the transmission function which allows hackers to control BitTorrent, a popular app.
According to Tavis, the flaw presently works on computers systems which are running Firefox and Chrome browsers on Windows and Linux operating systems only as it lets hackers control browsers.
Nevertheless, it is also a possibility that the flaw could make other platforms vulnerable, such as the Mac OS.
Moreover, the Proof of Concept published by Tavis Ormandy explains that because of a number of users utilizing this function without any password protection, a cyber criminal might be able to compromise a device using the DNS (domain name system) rebinding method and remotely grasp control.
The bug also enables attackers to control the app, changing destination for downloaded files and run commands once a file is downloaded.
Ormandy explained in a tweet that the bug is the 1st of a very few remote key
execution bugs among many popular torrent clients.
These findings were reported to Transmission by the finders, but not only the report was ignored by the company, they did not even bother replying to Google for a long period, even though Tavis sent his findings along with the patch.
This caused the researchers to go public with this message:
“Your device can be vulnerable to this attack if you download torrents, therefore it is being advised to disable the remote access feature for now.”