If you download content through the popular Transmission BitTorrent client, take a closer look at its security settings: a critical vulnerability has been detected by Google”s Project Zero reporting team.
According to the report published Tuesday, the flaw lets hackers execute malicious code and gain remote control of user PCs through their web browsers.
40 days after the report, because developers in charge of fixing the flaw didn”t apply the patch from Google researchers, researcher Tavis Ormandy posted a proof-of-concept attack based on a hacking technique called DNS rebinding.
“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy”s report says.
Ormandy wrote:
“The attack works like this:
The app is based on a server-client architecture. To download content, users install a daemon service locally and then go to a web-based interface.
“I regularly encounter users who do not accept that websites can access services on localhost or their intranet,” Ormandy wrote.
“These users understand that services bound to localhost are only accessible to software running on the local machine and that their browser is running on the local machine—but somehow believe that accessing a website “transfers” execution somewhere else. It does not work like that, but this is a common source of confusion.”
Ormandy tested his demo on Chrome and Firefox on Windows and Linux, but believes other platforms and browsers are vulnerable.
tags
After having addressed topics such as NFC, startups, and tech innovation, she has now shifted focus to internet security, with a keen interest in smart homes and IoT threats.
View all postsNovember 14, 2024
September 06, 2024