uTorrent Bug Allows Malicious Webpages to Control the Software

A Google security researcher has uncovered a bug in uTorrent that can let a hacker hijack the software to deliver malware.

The problem mainly affects uTorrent Web, the newer version of the popular BitTorrent customer, which contains a serious remote code execution issues, co-ordinate to Google researcher Tavis Ormandy.

SecurityWatch He discovered a flaw in the way uTorrent communicates data and stores an authentication token. A webpage loaded over a browser could exist rigged to steal the token, and proceeds complete control over the uTorrent service. "Once you have the secret, y'all can just change the directory torrents are saved to, and and so download whatsoever file anywhere," he wrote in written report about the bug.

It doesn't help that by default uTorrent Spider web is configured to automatically run on startup. With control over the client, a webpage'due south owner could direct the software to download a piece of malware. The malware can then exist delivered into a Windows PC's startup binder, which will load the program on the side by side kicking up. All that's needed is to trick a victim into visiting the malicious website.

On Tuesday, BitTorrent released an update to uTorrent Web that patches the problem. It'due south available in build 0.12.0.502, which can be downloaded through the official uTorrent website or via the application itself.

"BitTorrent expects to have builds with fixes to all reported vulnerabilities available to customers within the side by side 24 hours," VP of technology David Rees said in an email.

Ormandy first began reporting the issues to BitTorrent in Dec. He as well found a similar flaw in uTorrent Classic that can betrayal what torrents y'all've downloaded to a rigged website. Ormandy said the problem was fixed in a beta build of the software.