Major Private Torrent Sites Have a Security Disaster to Fix Right Now 30
At least three major torrent sites are currently exposing intimate details of their operations to anyone with a web browser. TorrentFreak understands that the sites use a piece of software that grabs brand-new content from other sites before automatically uploading it to their own. A security researcher tried to raise the alarm but nobody will listen. From the report: To get their hands on the latest releases as quickly as possible, [private torrent sites, or private trackers as they're commonly known] often rely on outside sources that have access to so-called 0-Day content, i.e, content released today. The three affected sites seem to have little difficulty obtaining some of their content within minutes. At least in part, that's achieved via automation. When outside suppliers of content are other torrent sites, a piece of software called Torrent Auto Uploader steps in. It can automatically download torrents, descriptions, and associated NFO files from one site and upload them to another, complete with a new .torrent file containing the tracker's announce URL. The management page [here] has been heavily redacted because the content has the potential to identify at least one of the sites. It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.
Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.
Rather than publish a sequence of completely redacted screenshots, we'll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It's then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that's only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker 'bots' through the panel that controls it. Then there's access to 'Staff Tools' on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That's on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more -- revealing torrent passkeys for every single one on the way.
Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.
Rather than publish a sequence of completely redacted screenshots, we'll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It's then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that's only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker 'bots' through the panel that controls it. Then there's access to 'Staff Tools' on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That's on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more -- revealing torrent passkeys for every single one on the way.
Re: ? What problem is ? (Score:2)
no shit sherlock (Score:3)
Re: (Score:3)
Re:no shit sherlock (Score:4, Insightful)
Re: no shit sherlock (Score:1)
Basically someone found that torrents are shared quickly using a series of automated tools that anyone with sufficient knowledge of the inner workings and the address of the web service can see the inner workings of.
Or very short: if you can manufacture access to an automation tool, you can follow the thread to see a ton more systems.
Itâ(TM)s likely that theyâ(TM)re using a tool that has some kind of poorly secured admin interface.
Re: (Score:2)
Most torrents are still copyrighted material (Score:1)
Was surprised at who does this stuff (Score:4, Interesting)
When Usenet was major source for "content", the FBI eventually got involved and nailed a few of the buccaneer groups. I recall one was headed up by some intel employees using Intel's corporate network and hardware to conduct their non-corporate activities. I had always imagined it was a bunch of teens doing this stuff, but these guys ruined their very successful adult lives for the yucks of getting their group's name into 0-day .NFO files.
Jfc, that's stupid.
I don't mean the people grabbing their favorite show or an album here n there. I mean the guys at the top of the pyramid who make the releases.
I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?
Re: (Score:1)
Re: (Score:3)
"I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?"
Because it feels good. It is that simple.
Re:Was surprised at who does this stuff (Score:4)
Fame and glory.
Isn't that what motivates all the obnoxious content online? Few actually make money, but many have an opportunity for recognition. The feeling that they are no longer an Anonymous Coward, but they have been noticed by others.
Lots of lonely people in the world craving attention.
Re: (Score:2)
Yeah, I guess... has to be that... but if you're going to become infamous for some crime then do some Bonnie n Clyde shit. Don't go down for the zero day of some stupid pc game. At least there's money and adrenaline rush in bank robbing.
Re: (Score:2)
Re: (Score:2)
Statistically, banks are way safer to rob than a 7-11, for example.
For a simple, pass a note to tell and get out fast job your odds of being caught are extremely low and you'll make off with a fast few grand. No one is pulling a gun or really doing much of anything about it.
At a 7-11, a lot of those guys pull a gun or chase robbers out with a bat, etc. And they're not holding nearly as much cash.
I forget exactly and I'm feeling too lazy to look it up but there's something like a bank robbery every minute
Re: (Score:2)
I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?
Are you asking why adults have hobbies that clash with the law? If you thought piracy was somehow unique in that it only applies to teenagers then you're really not as smart as your username lets on.
Re: (Score:2)
Are you sure it was at Intel and not at Hewlett Packard?
Re: (Score:2)
It was a long time ago. Memory says Intel but I wouldn't swear by that.
Re: (Score:2)
Dopamine rush.
Same as gamblers and thrill seekers etc.
GOSH SUPOER WORRIED (Score:2)
Major torrent sites, which copy/paste, clone and steal code from each other, are all vulnerable, because they copy/paste, clone and steal code from each other. (intentionally repetitive statement, derp)
Whatever. No one outside the "scene" really cares, and in the ultimate-dice-fest it doesn't matter. Where one falls, another rises, and we all just scrape from there instead. Sorry, not sorry, to the lazy-fucks out there. You tried (but seems not hard enough) and not you maybe die. As they say - que sera, ser
Names please (Score:2)
heh (Score:2)
It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.
I bet the documentation says to put it behind http auth
But torrents are only for distributing Linux ISOs (Score:2)