Major Private Torrent Sites Have a Security Disaster to Fix Right Now

At least three major torrent sites are currently exposing intimate details of their operations to anyone with a web browser. TorrentFreak understands that the sites use a piece of software that grabs brand-new content from other sites before automatically uploading it to their own. A security researcher tried to raise the alarm but nobody will listen. From the report: To get their hands on the latest releases as quickly as possible, [private torrent sites, or private trackers as they're commonly known] often rely on outside sources that have access to so-called 0-Day content, i.e, content released today. The three affected sites seem to have little difficulty obtaining some of their content within minutes. At least in part, that's achieved via automation. When outside suppliers of content are other torrent sites, a piece of software called Torrent Auto Uploader steps in. It can automatically download torrents, descriptions, and associated NFO files from one site and upload them to another, complete with a new .torrent file containing the tracker's announce URL. The management page [here] has been heavily redacted because the content has the potential to identify at least one of the sites. It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

Torrent Auto Uploader relies on torrent clients to transfer content. The three sites in question all use rTorrent clients with a ruTorrent Web UI. We know this because the researcher sent over a whole bunch of screenshots and supporting information which confirms access to the torrent clients as well as the Torrent Auto Uploader software. The image [here] shows redactions on the tracker tab for good reason. In a regular setup, torrent users can see the names of the trackers coordinating their downloads. This setup is no different except that these URLs reference three different trackers supplying the content to one of the three compromised sites.

Rather than publish a sequence of completely redacted screenshots, we'll try to explain what they contain. One begins with a GET request to another tracker, which responds with a torrent file. It's then uploaded to the requesting site which updates its SQL database accordingly. From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that's only useful when nobody knows what it is. The same security hole also grants direct access to one of the sites tracker 'bots' through the panel that controls it. Then there's access to 'Staff Tools' on the same page which connect to other pages allowing username changes, uploader application reviews, and a list of misbehaving users that need to be monitored. That's on top of user profiles, the number of torrents they have active, and everything else one could imagine. Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more -- revealing torrent passkeys for every single one on the way.

Re: ? What problem is ?

[RegistrationIsDumb83]

I am always amused when these piracy websites want to keep their torrents private or put captchas to prevent scraping. They're stealing content from people yet somehow feel indignant when their stolen content gets re-stolen? lol

no shit sherlock

[bloodhawk]

shock horror torrent sites have security issues. Anyone that has used any of the major or minor torrent sites knows full well none of them give a shit about security and most actively and knowingly host scam and malware. This is why I have a dedicated VM for torrents that is isolated and disposable.

Re:

[arglebargle_xiv]

I fell asleep after about the fifth page of that rambling, incoherent screed, roughly the same point at which I was seriously wondering whether it was worth ploughing through the rest of it to see if it ever got to a point. Can someone familiar with the tech summarise it in a sentence or two?

Re:no shit sherlock

[dsgrntlxmply]

"If you lie down with dogs, you will get up with fleas."

Re: no shit sherlock

[guruevi]

Basically someone found that torrents are shared quickly using a series of automated tools that anyone with sufficient knowledge of the inner workings and the address of the web service can see the inner workings of.

Or very short: if you can manufacture access to an automation tool, you can follow the thread to see a ton more systems.

Itâ(TM)s likely that theyâ(TM)re using a tool that has some kind of poorly secured admin interface.

Re:

[arglebargle_xiv]

Thanks! Now if only TFA had said that...

Most torrents are still copyrighted material

[paravis]

So better hurry! Patch the flaw! Or for crying out loud, shell out the $20.

Was surprised at who does this stuff

[iAmWaySmarterThanYou]

When Usenet was major source for "content", the FBI eventually got involved and nailed a few of the buccaneer groups. I recall one was headed up by some intel employees using Intel's corporate network and hardware to conduct their non-corporate activities. I had always imagined it was a bunch of teens doing this stuff, but these guys ruined their very successful adult lives for the yucks of getting their group's name into 0-day .NFO files.

Jfc, that's stupid.

I don't mean the people grabbing their favorite show or an album here n there. I mean the guys at the top of the pyramid who make the releases.

I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?

Re:

[Legalize CP]

Because Stallman has a point. They were losing their IP to Asia anyway, so they were on equal ground to make such a "statement."

Re:

[zenlessyank]

"I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?"

Because it feels good. It is that simple.

Re:Was surprised at who does this stuff

[swell]

Fame and glory.

Isn't that what motivates all the obnoxious content online? Few actually make money, but many have an opportunity for recognition. The feeling that they are no longer an Anonymous Coward, but they have been noticed by others.

Lots of lonely people in the world craving attention.

Re:

[iAmWaySmarterThanYou]

Yeah, I guess... has to be that... but if you're going to become infamous for some crime then do some Bonnie n Clyde shit. Don't go down for the zero day of some stupid pc game. At least there's money and adrenaline rush in bank robbing.

Re:

[bloodhawk]

It comes down to what floats your boat. Realistically Bonnie n Clyde anyone dumb shit can do as long as you have more balls than brains and robbing a bank aint like the days of Bonny n Clyde, the security combined with lack of real money in physical banks these days makes that a real stupid move, especially if all you are after is fame.

Re:

[iAmWaySmarterThanYou]

Statistically, banks are way safer to rob than a 7-11, for example.

For a simple, pass a note to tell and get out fast job your odds of being caught are extremely low and you'll make off with a fast few grand. No one is pulling a gun or really doing much of anything about it.

At a 7-11, a lot of those guys pull a gun or chase robbers out with a bat, etc. And they're not holding nearly as much cash.

I forget exactly and I'm feeling too lazy to look it up but there's something like a bank robbery every minute

Re:

[thegarbz]

I don't get it. Why do adults with so much at risk and so little to gain get involved in this stuff?

Are you asking why adults have hobbies that clash with the law? If you thought piracy was somehow unique in that it only applies to teenagers then you're really not as smart as your username lets on.

Re:

[suss]

Are you sure it was at Intel and not at Hewlett Packard?

Re:

[iAmWaySmarterThanYou]

It was a long time ago. Memory says Intel but I wouldn't swear by that.

Re:

[Deal In One]

Dopamine rush.

Same as gamblers and thrill seekers etc.

GOSH SUPOER WORRIED

[Arethan]

Major torrent sites, which copy/paste, clone and steal code from each other, are all vulnerable, because they copy/paste, clone and steal code from each other. (intentionally repetitive statement, derp)

Whatever. No one outside the "scene" really cares, and in the ultimate-dice-fest it doesn't matter. Where one falls, another rises, and we all just scrape from there instead. Sorry, not sorry, to the lazy-fucks out there. You tried (but seems not hard enough) and not you maybe die. As they say - que sera, ser

Names please

[knoledgesponge]

waiting for someone to post the names of these sites ;-)

heh

[drinkypoo]

It's a web interface, one that has no password protection and is readily accessible by anyone with a web browser. The same problem affects at least three different servers operated by the three sites in question.

I bet the documentation says to put it behind http auth

But torrents are only for distributing Linux ISOs

[blarkon]

I'm shocked that there is a hint that this technology, which is clearly used by a majority of people to get the latest Linux ISOs has a small minority of users leveraging it for illicit purposes!