Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Piracy Security

Major Private Torrent Sites Have a Security Disaster to Fix Right Now 30

At least three major torrent sites are currently exposing intimate details of their operations to anyone with a web browser. TorrentFreak understands that the sites use a piece of software that grabs brand-new content from other sites before automatically uploading it to their own. A security researcher tried to raise the alarm but nobody will listen. From the report: To get their hands on the latest releases as quickly as possible, [private torrent sites, or private trackers as they're commonly known] often rely on outside sources that have access to so-called 0-Day content, i.e, content released today. The three affected sites seem to have little difficulty obtaining some of their content within minutes. At least in part, that's achieved via automation. When outside suppliers of content are other torrent sites, a piece of software called Torrent Auto Uploader steps in. It can automatically download torrents, descriptions, and associated NFO files from one site and upload them to another, complete with a new .torrent file containing the tracker's announce URL. The management page [here] has been heavily redacted because the content has the potential to identify at least one of the sites. It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.

Rather than publish a sequence of completely redacted screenshots, we'll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It's then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that's only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker 'bots' through the panel that controls it. Then there's access to 'Staff Tools' on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That's on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more -- revealing torrent passkeys for every single one on the way.
This discussion has been archived. No new comments can be posted.

Major Private Torrent Sites Have a Security Disaster to Fix Right Now

Comments Filter:
  • by bloodhawk ( 813939 ) on Tuesday January 03, 2023 @09:20PM (#63178380)
    shock horror torrent sites have security issues. Anyone that has used any of the major or minor torrent sites knows full well none of them give a shit about security and most actively and knowingly host scam and malware. This is why I have a dedicated VM for torrents that is isolated and disposable.
    • I fell asleep after about the fifth page of that rambling, incoherent screed, roughly the same point at which I was seriously wondering whether it was worth ploughing through the rest of it to see if it ever got to a point. Can someone familiar with the tech summarise it in a sentence or two?
  • So better hurry! Patch the flaw! Or for crying out loud, shell out the $20.
  • by iAmWaySmarterThanYou ( 10095012 ) on Tuesday January 03, 2023 @09:39PM (#63178414)

    When Usenet was major source for "content", the FBI eventually got involved and nailed a few of the buccaneer groups. I recall one was headed up by some intel employees using Intel's corporate network and hardware to conduct their non-corporate activities. I had always imagined it was a bunch of teens doing this stuff, but these guys ruined their very successful adult lives for the yucks of getting their group's name into 0-day .NFO files.

    Jfc, that's stupid.

    I don't mean the people grabbing their favorite show or an album here n there. I mean the guys at the top of the pyramid who make the releases.

    I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?

    • Because Stallman has a point. They were losing their IP to Asia anyway, so they were on equal ground to make such a "statement."
    • "I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?"

      Because it feels good. It is that simple.

    • Fame and glory.

      Isn't that what motivates all the obnoxious content online? Few actually make money, but many have an opportunity for recognition. The feeling that they are no longer an Anonymous Coward, but they have been noticed by others.

      Lots of lonely people in the world craving attention.

      • Yeah, I guess... has to be that... but if you're going to become infamous for some crime then do some Bonnie n Clyde shit. Don't go down for the zero day of some stupid pc game. At least there's money and adrenaline rush in bank robbing.

        • It comes down to what floats your boat. Realistically Bonnie n Clyde anyone dumb shit can do as long as you have more balls than brains and robbing a bank aint like the days of Bonny n Clyde, the security combined with lack of real money in physical banks these days makes that a real stupid move, especially if all you are after is fame.
          • Statistically, banks are way safer to rob than a 7-11, for example.

            For a simple, pass a note to tell and get out fast job your odds of being caught are extremely low and you'll make off with a fast few grand. No one is pulling a gun or really doing much of anything about it.

            At a 7-11, a lot of those guys pull a gun or chase robbers out with a bat, etc. And they're not holding nearly as much cash.

            I forget exactly and I'm feeling too lazy to look it up but there's something like a bank robbery every minute

    • I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?

      Are you asking why adults have hobbies that clash with the law? If you thought piracy was somehow unique in that it only applies to teenagers then you're really not as smart as your username lets on.

    • by suss ( 158993 )

      Are you sure it was at Intel and not at Hewlett Packard?

    • Dopamine rush.

      Same as gamblers and thrill seekers etc.

  • Major torrent sites, which copy/paste, clone and steal code from each other, are all vulnerable, because they copy/paste, clone and steal code from each other. (intentionally repetitive statement, derp)

    Whatever. No one outside the "scene" really cares, and in the ultimate-dice-fest it doesn't matter. Where one falls, another rises, and we all just scrape from there instead. Sorry, not sorry, to the lazy-fucks out there. You tried (but seems not hard enough) and not you maybe die. As they say - que sera, ser

  • waiting for someone to post the names of these sites ;-)
  • It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

    I bet the documentation says to put it behind http auth

  • I'm shocked that there is a hint that this technology, which is clearly used by a majority of people to get the latest Linux ISOs has a small minority of users leveraging it for illicit purposes!

news: gotcha

Working...