Torrenting app uTorrent is among the most popular and widely used BitTorrent clients, but some critical bugs apparently leave users vulnerable to hacking.
According to a Project Zero researcher, two versions of uTorrent have vulnerabilities that are easy to exploit and could enable hackers to execute code, steal downloaded files, and check the download history.
Critical uTorrent Vulnerabilities
The vulnerabilities reportedly allow any website one visits to control core functions in both uTorrent Web and the desktop uTorrent app for Windows. The highest risk is that malicious websites could take advantage of the vulnerabilities to sneak malicious code into the Windows startup folder, which would allow it to run automatically each time the PC boots up. At the same time, visiting any website would mean that the website in question would be able to access the download history and downloaded files.
Project Zero researcher Tavis Ormandy was the one to discover the flaw and reached out to BitTorrent. Project Zero is a team of security analysts specialized in discovering zero-day vulnerabilities and notifying the publishers or developers so that they can fix them.
Project Zero offers a 90-day window for software vendors to fix the flaws, otherwise, it makes them public. Ormandy initially reached out to BitTorrent back in November to report on the flaw but got no response. As the deadline for the fix is rapidly approaching, Ormandy took to Twitter and contacted BitTorrent founder Bram Cohen.
@bramcohen I don't think bittorrent are going to make a 90 day disclosure deadline, do you have any direct contacts who could help? I'm not convinced they understand the severity or urgency. — Tavis Ormandy (@taviso) January 30, 2018
uTorrent Fixes Coming Soon
According to a report from Ars Technica, uTorrent developers are currently working on releasing fixes to patch the vulnerabilities in both the desktop uTorrent app and the web version. BitTorrent VP of engineering Dave Rees told the publication that a beta version of uTorrent's desktop app for Windows has already fixed the flaw, but the patch is yet to reach the general public.
The uTorrent version containing the fix is available for download, but keep in mind that it's still in beta at this point. It should make its official rollout in the next few days. uTorrent Web, meanwhile, has received a patch as well, so users are advised to update to version 0.12.0.502, which is the latest.
On the other hand, no mitigation suggestions are available for those who have the uTorrent versions vulnerable to hacking and snooping. With this in mind, uTorrent users might want to stop using the torrent app until an update becomes available to fix the vulnerabilities and make things secure again.