Torrent timing app1/17/2024 ![]() ![]() Sampson discovered that the Torrent Time app could be forced to redownload the browser plugins at command. Torrents Time runs as root on Macsīut the issues didn't stop here because the Torrents Time app was also running as a root user on Mac, which opens a huge security issue for Apple users if an attacker would like to abuse the app and install malware on their machines. Sampson also discovered obfuscated code in Torrents Time source, which he was not able to crack to see what it actually did, and also observed that the Torrents Time servers were also tracking all of its users' activity (IP, location, user agent, cookie, watched torrents, etc.). This function can be abused by advertisers to randomly check Internet users for those who have Torrent Time installed, and then collect information that can be used to track them online.Īdditionally, Mr. Sampson also discovered that JavaScript code delivered to the user's browser could trickle down to the local Torrents Time Node.js server and query its API for details about the user. This could let the user think they're accessing a trustworthy Torrents Time video player, when, in reality, the attacker could be delivering malicious code in the background while the user is watching a movie.īesides this, Mr. Sampson discovered that he could open a Torrents Time video player inside this malicious page and serve the user the torrent files they wanted. This means that an attacker could create a malicious Web page that mimics a regular page (popup) created by TBP or KAT, and add their own malicious code, which, because of an improper CORS implementation, would be allowed to execute. Sampson, Torrents Time does not properly implement CORS (Cross-Origin Resource Sharing), a crucial Web security mechanism that prevents resources from being loaded from different domains. Torrents Time fails to implement CORS, leaves users vulnerable to attackĪccording to Mr. Sites that employ it, like TPB and KAT, have to host a few files that allow the plugins to tap into their torrents database and query for torrent seeds and other data. Users who want to use Torrents Time have to download its installer, which sets up a local Node.js server and also adds an extension to your browser. Torrents Time benefits from a built-in VPN server and has seen a rise in popularity after The Pirate Bay (TPB) and Kickass Torrents (KAT), the Internet's biggest torrent portals, added live streaming buttons to their sites employing its technology. Torrents Time is a new technology that allows users to instantly download and watch torrented material right inside their browser. The Torrents Time browser plugin that allows users to stream multimedia torrents in real time inside their browser is plagued by various security issues that range from XSS to MitM attacks, developer Andrew Sampson has discovered. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |