There’s a serious security vulnerability affecting both the Windows desktop and Web version of uTorrent which could allow attackers to remotely execute code and wreak havoc on computers. A Google Project Zero researcher named Tavis Ormandy was the first to highlight the flaw and demonstrate an exploit.
Ormandy apparently told uTorrent parent company BitTorrent about the problem back in November 2017. He recently decided to go public with his findings, claiming that his methods could allow rogue websites to spy on a victim’s download history, access their downloaded files, and add torrents without their knowledge.
Websites could even download malicious code into the Windows startup folder so that it automatically runs when the PC boots up. Ormandy took advantage of a DNS rebinding issue for his exploit, allowing outsiders to remotely execute code through uTorrent’s remote control tool.
Also Read: ExtraTorrent closed down permanently
BitTorrent decided to issue a statement on the matter recently, confirming Ormandy’s research and explaining that an attacker could craft a URL which would trigger actions such as adding a torrent in the client without the user’s consent. It’s released a fix for both the Windows desktop and Web beta builds and plans to roll it out to the stable versions soon.
However, BitTorrent’s fix may not be enough to keep hackers at bay. Ormandy says that its solution just added a second token to uTorrent Web to break his exploit and doesn’t actually address the DNS rebinding problem. He later tweeted that he had fixed the exploit and verified that it still works.
BitTorrent might have some more work to do as a result. In the meanwhile, try to avoid using uTorrent or at least keep away from sketchy sites. You can download the beta version of uTorrent here.