Google Project Zero researcher Tavis Ormandy has reported the security flaws in uTorrent that allow any website you visit to copy files you've downloaded, execute remote code and disclose information. He wrote that uTorrent Web uses a web interface and is controlled by a browser. It is also "configured to startup with Windows, so will always be running and accessible."
Ormandy, who informed BitTorrent Inc about the vulnerability in uTorrent back in November 2017, had to remind them again last month. He wrote that he was a little worried as the company hadn't fixed the issue within the 90-day window that Project Zero allows developers to address security flaws.
BitTorrent has released a beta build of uTorrent to fix the bugs that are letting websites see download details of users, but Ormandy has said the old issue isn't solved yet.
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit. ?
— Tavis Ormandy (@taviso) February 20, 2018
I just fixed the exploit and verified it still works. I would recommend asking BitTorrent to resolve this issue if you're affected, and it works in the default configuration so you probably are. Sigh.
— Tavis Ormandy (@taviso) February 20, 2018
Ormandy has suggested that affected users should stop using uTorrent Web and contact BitTorrent to get the issue solved once and for all.
"This issue is still exploitable. The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway. I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch, we've done all we can to give BitTorrent adequate time, information and feedback and the issue remains unsolved," he wrote.
