BitTorrent Client uTorrent Suffers Security Vulnerability - JSON-RPC issues

[SystemF]

BitTorrent client uTorrent is suffering from an as yet undisclosed vulnerability.
The security flaw in question was reported by Google vulnerability researcher Tavis Ormandy, who first reached out to BitTorrent in November last year. Google’s Project Zero allows developers a 90-day window to address security flaws but with this deadline creeping up, BitTorrent had remained quiet.

Links:
Project Zero blogpost
On TF: Article
On Reddit: Click

 

[RMerlin]

So far, uTorrent security issues seemed to be tied to its webui. People still using uTorrent should consider disabling that, or ideally moving to a different client. I switched to qBittorrent myself a few years ago when finding an adware-free installer for uTorrent proved next to impossible.

 

[ColinTaylor]

+1 for qBittorrent

 

[sfx2000]

Similar to vulns found in Transmission, which were eventually fixed.

 

[RMerlin]

Similar to vulns found in Transmission, which were eventually fixed.

Transmission has the benefit of being open-sourced tho.

 

[sfx2000]

Transmission has the benefit of being open-sourced tho.

Even they took time to fix it - named and shamed...

The bigger issue is that many of the torrent clients may offer a WebGUI - most casual users may not know - and that part of the problem...

 

[sfx2000]

FWIW - I'm not a big torrent user - mostly to share some private builds with a group of testers, and the major linux distro's do offer torrents there.

The real risk is to the casual torrent users - and that is also devices that may hide the torrent client behind some other user interface - and this is a rich target for folks that might want to corrupt things with malware and whatnot...

 

[SystemF]

Still using 2.2.1, on work tested ver.3 there is a test and suddenly apeears a message that "admin want access", in software firewall block all trafic inbound from tcp and udp port 10000, also set net.discoverable to false.