Stop Streaming Torrents, Torrents-Time Browser Plugin Is Vulnerable To XSS & MITM.

Torrents Time is a new technology that allows users to instantly download and watch torrented material right inside their browser. Users who want to use Torrents Time have to download its installer, which sets up a local Node.js server and also adds an extension to your browser.

According to developer,Andrew Sampson, the Torrents Time browser plugin that allows users to stream multimedia torrents in real time inside their browser is plagued by various security issues that range from XSS to MitM attacks.

Sites that employ it, like TPB and KAT, have to host a few files that allow the plugins to tap into their torrents database and query for torrent seeds and other data.Sampson says that this is where Torrents-Time plugin is vulnerable.

According to him, Torrents Time fails to implement CORS, leaves users vulnerable to attack. It does not properly implement CORS (Cross-Origin Resource Sharing), a crucial Web security mechanism that prevents resources from being loaded from different domains.

Sampson says that a potential hacker can create a specially crafted website loaded with malware to mimic a regular page (popup) created by TBP or KAT, and add their own malicious code, which, because of an improper CORS implementation, would be allowed to execute.

Another thing is that the JavaScript code delivered to the user’s browser by Torrents-Time could trickle down to the local Torrents Time Node.js server and query its API for details about the user. This function can be abused by advertisers to randomly check Internet users for those who have Torrent Time installed, and then collect information that can be used to track them online.

He also discovered that Torrents Time could also spy on users by tracking its users’ activity (IP, location, user agent, cookie, watched torrents, etc.).

According to Sampson, Mac users are at even more risk from using Torrents Time . This is because Torrents Time app for Mac runs as a root user.
A potential attacker abuses the app and installs malware on it.  This is possible because Sampson discovered that the Torrent Time app could be forced to redownload the browser plugins at command and users will be forced to download a file from the attacker’s own server, probably infected with malware.

Sampson also said that, attackers could use malicious JS code to ping your local Torrents Time Node.js server with exactly 1024 bytes and force your CPU usage to remain between 50%-80% until the Torrents Time service is shut down or crashes.

Here's the Proof-Of-Concept code uploaded by Sampson.

How to Download Torrent File in linux OS

Deluge is one of the most popular used torrent downloaders for linux operating syatem. It's current version is stable and easier to use like any other torrent client.Deluge team put effort to makes it more stable by providing final fix update. The current stable version of Deluge Deluge 1.3.12 with some bug and crash fixes and enhancements. Deluge is available forUbuntu, Linux Mint, Linux Lite, etc.

Install Deluge in linux OS

Terminal:

sudo apt-get install deluge

Deluge official repositories is already available in ubuntu os but the repository might be out of date.The update is not yet available in the official repository of ubuntu, but don't worry you can add the official Deluge PPA to ubuntu os easily.

Use the following commands to add PPA and then update local list of repositories and then upgrade to Deluge 1.3.12.

Deluge PPA Repository

The ​Deluge PPA contains the latest Deluge releases for Ubuntu.

sudo add-apt-repository ppa:deluge-team/ppa sudo apt-get update sudo apt-get install deluge

Removing 

sudo apt-get remove deluge

Install μTorrent in Ubuntu 

Ubuntu 14.04  / 13.10 / 13.04 / 12.10 / 12.04 / 11.10 userso through the below to install the dependency library.

sudo apt-get install libssl0.9.8:i386

Now Open a Terminal and Enter the following command to download.

wget http://download.utorrent.com/linux/utorrent-server-3.0-25053.tar.gz

After downloading, move to the Download directory where the file downloaded by user is located.

For example if the downloaded file is in Downloads directory then use the below command.

cd Downloads/

Now copy the Downloaded tar file to opt directory, use the following command to copy the file to opt directory.

sudo cp utorrent-server-3.0-25053.tar.gz /opt/

Now change the current directory to the opt directory and extract the tar file. Run the following commands one by one.

cd /opt/sudo tar -xvf utorrent-server-3.0-25053.tar.gz

Change the permission of the extracted folder.

sudo chmod 777 -R utorrent-server-v3_0/

Create a symbolic link so that you can run the torrent server from terminal.

sudo ln -s /opt/utorrent-server-v3_0/utserver /usr/bin/utserver

That’s it. Now you can start the utorrent server by using the following command in terminal.

utserver -settingspath /opt/utorrent-server-v3_0/ &