A series of serious security flaws has been discovered in the uTorrent web and desktop versions. These flaws may open the door to an attacker to infect victims with malware or to collect data.
The discoverer of these flaws is Project Zero, Google’s security group that scans the most relevant websites and programs for errors. More specifically, Tavis Ormandy, one of its members, found this flaw.
The bug in question is easy to use. In the case of the web client, for example, it’s enough to trick the user into accessing a specific page that helps the hacker get the server’s secret authentication key. With this key, the attacker controls the server and with it, the victim’s uTorrent.
Project Zero’s policy is to give those in charge of the affected program a grace period of 90 days before making the problem public. In theory, this process allows many flaws to be resolved before the user has to worry about them.
Sometimes, the error is so difficult to sort out that the grace period ends and Project Zero decides to reveal the problem. This happened a few days ago with Microsoft, for example.
If you’re curious, Ormandy has created two pages that emulate an attack from the uTorrent web version and the uTorrent desktop version. Keep in mind that if you start the demo, your uTorrent will pause. So, you won’t be at risk.
BitTorrent, the company behind uTorrent, has released a fix for the beta version of the uTorrent desktop version. The problem is, according to Ormany, this fix isn’t convenient and doesn’t resolve the entire bug. BitTorrent doesn’t feel the same and in few days will move this fix to the regular version.
Here’s his tweet, complaining about it:
Hmm, it looks like BitTorrent just added a second token to uTorrent Web. That does not solve the DNS rebinding issue, it just broke my exploit.
— Tavis Ormandy (@taviso) 20 de febrero de 2018
There are still no patches for the web version, so you should avoid it until further notice.
Until it’s clear if uTorrent for desktop has the problem solved, and until the uTorrent for web is solved too, it’s best you don’t risk it and avoid those pages. Just a friendly warning…
If you use uTorrent regularly and you’re worried about being infected or getting infected, we recommend you install leading antivirus programs such as those recommended here: