BitTorrent Puts Linux and Windows devices at risk of Hacking !

BitTorrent Puts Linux and Windows devices at risk of Hacking !

An IT security researcher Tavis Ormandy at Google’s Project Zero has identified a critical flaw in Transmission BitTorrent app that if exploited lets attackers take full control of a targeted computer on Linux or Windows operating system.
GOOGLE'S PROJECT ZERO has uncovered a "critical flaw" in the Transmission BitTorrent app that could give cybercrooks complete control of users' computers.

Ormandy warned that the flaw (CVE-2018-5702) is present in Transmission Function that allows attackers to control the BitTorrent app through their web browser and other BitTorrent clients can also be their prime target.

Publicising details of the attack appears to have done the trick of forcing the developers to rush out a patch, but this has not been applied in all the software that uses the Transmission protocol, Ormandy warned. 

The proof of concept published by Ormandy explains that the flaw currently works on computers running Chrome and FireFox browsers on Linux and Windows operating system. However, there are chances that the flaw might also work on other platforms such as macOS browsers if the user has enabled remote access.

Furthermore, the PoC explains, since a number of users use this function without any password, an attacker can compromise a device using domain name system (DNS) rebinding method and take control of it remotely. This explains that those who do not use this feature with a password are the prime targets of this flaw.

Moreover, the flaw allows attackers to change the download directory of torrents and use Transmission to run commands once the app finishes downloading. In a Tweet, Ormandy explained that the flaw is the “first of a few remote code execution flaws in various popular torrent clients”.

->No Response From Transmission
Google’s Project Zero and Ormandy reported their findings to Transmission on November 30th, 2017  but the company not only ignored the report, it did not bother to reply to Google for more than a month even though Ormandy’ sent his findings with the patch. This forced the researchers to go public with their findings and hopefully Transmission will learn a lesson.

->Not For The First Time
This is not the first time when Transmission is in the news for all the wrong reasons. Previously, the BitTorrent Client was caught dropping Keydnap malware on Mac devices after compromising the company’s website.