Still using BitTorrent to exclusively download legally acquired content such as operating system images or files you want to share privately with friends? If so, you might want to double-check your security settings to protect yourself from what researchers at Google’s Project Zero are calling a “low complexity hack” affecting Transmission and other popular BitTorrent clients. The flaw could leave your computer vulnerable to control by malicious hackers, but you can protect yourself by following a few steps until official fixes are in place.
Image credit: Transmission
The proof of concept attack, Ars Technica explains, affects users who control their BitTorrent client through their web browser, which lets them manage their transfers remotely. Many clients with remote access enabled are left unprotected, and don't require the user enter a password.
The flaw, explained by Project Zero researcher Tim Ormandy, takes advantage of the lax security, and lets hackers execute commands through that web interface, turning your BitTorrent client into an access point where the wrong person can run whatever code they want after gaining access to your torrent downloads.
While Project Zero only disclosed the flaw in Transmission after providing a fix, other BitTorrent clients might face similar security issues according to this tweet from Ormandy discussing the flaw present in unspecified BitTorrent clients.
First of a few remote code execution flaws in various popular torrent clients, here is a DNS rebinding vulnerability Transmission, resulting in arbitrary remote code execution. https://t.co/kAv9eWfXlG
— Tavis Ormandy (@taviso) January 11, 2018
How to Protect Yourself
A fix is coming from Transmission, a representative told Ars Technica, but you can protect yourself from the hack in the meantime by modifying a few security settings. To quickly render the hack useless, you'll need to disable the remote access service in your BitTorrent client. In Transmission, you can simply visit your Preferences, hit the Remote tab, and uncheck the "Enable remote access" option.
Transmission on Windows 10.
If you'd rather leave your remote access option enabled, you should be sure to at least password-protect it (and store that information in your password manager). You can do it from the Remote tab where you enabled (or disabled) remote access to your computer.