Jump to content

uTorrent Bookmarklet, or "Add new torrents from your iPhone"


Recommended Posts

hey man, thanks for bringing to light this little script you made its spot on! ive got it working with the public tracker site but im having problems using the private tracker im a VIP at, torrentleech.org

when clicking on the torrent download link it sends me to the webUI, but there is no sign of the torrent at all, every site ive tried works except this. An example of the download link form torrentleech is:


is there anything that can be done to get this working for this torrent site?

once again thanks for your hard work mate


Link to comment
Share on other sites

  • Replies 78
  • Created
  • Last Reply

I don't think it will work with private sites because those require cookie info.

You could try using the remote .torrent file handler instead. It downloads the torrent and then sends the .torrent file to µtorrent.

(This bookmarklet simply gives µtorrent the url and µtorrent then tries to download it. This works for public sites but for private sites µtorrent get redirected to the login page and thus fails.)

Link to comment
Share on other sites

You can actually easily extend this bookmarklet for any sites that require cookies. Basically, you need to conditionally add the :COOKIE: method to your URLs, as mentioned here.

Here's what that would look like:

javascript:(function() { var host = "http://<HOST>/gui/"; for (var i = 0; i < document.links.length; i++) { document.links[i].href = "javascript:(function() { var img = document.createElement('img'); img.setAttribute('src', '"+ host + "?action=add-url&s=" + encodeURIComponent(document.links[i].href) + (document.links[i].href.match(/<DOMAIN>/i) ? ":COOKIE:uid=<UID>;pass=<PASS>" : "") + "'); img.setAttribute('style', 'visibility:hidden'); document.body.appendChild(img); setTimeout('window.open(\"" + host + (navigator.userAgent.match(/iP(hone|od)/i) ? "iphone/i.html" : "") + "\", \"_self\");', 4000); })();"; } })();

All I did was add this code in:

+ (document.links[i].href.match(/<DOMAIN>/i) ? ":COOKIE:uid=<UID>;pass=<PASS>" : "")

You can add one of these for each site you frequent. Just fill in the right <DOMAIN>, <UID>, and <PASS>, and you're good to go.

Link to comment
Share on other sites

Doh! Yes. That should work ;)

I was afraid of suggesting automated solutions because that would open the bookmarklet to accusations of being a XSS hack (which it technically could be but because the expected, intended and actual behavior matches it wouldn't be). And you don't want the people with the target painters running around on the internet to cook up yet another avalanche of FUD.

But having to create an individual bookmark for every private tracker you use and entering the login info manually into the link of each bookmarklet pretty much removes that large flashy 'accuse me' signal.

Link to comment
Share on other sites

@Lord Alderaan:

Actually, since each :COOKIE: part is only added if it matches the correct target domain, you don't need a separate bookmarklet for each private tracker. You can add as many conditional concatenations as you like to your one master bookmarklet. For example:

+ (/*matches domain1*/ ? /*cookie1*/ : "") + (/*matches domain2*/ ? /*cookie2*/ : "")

As long as each match condition is mutually exclusive (meaning no domain is a substring of another), then it should all work fine.


Is your concern that I have quotes in my javascript? I assure you it all works well on Firefox, Internet Explorer, and Mobile Safari. If it's the actual "" in the code that worries you, that just means the empty string.

Link to comment
Share on other sites

For www.google.com the domain would be google

In firefox you can find out the uid and pass strings by going to Tools -=> Options -=> Privacy -=> Show Cookies -=> search for the domain and look for the cookie with the Cookie Name uid and pass. For each of the two cookies: Select it and copy the stuff from the Content field into your bookmarklet. (no idea how-to in IE)

For example it might look something like this:

+ (document.links[i].href.match(/myprivatetracker/i) ? ":COOKIE:uid=312;pass=834e934b902034a87d9d2b3c87fe4837" : "")

Link to comment
Share on other sites

Exactly! Well actually, I would've used "google.com" instead of "google" just to ensure it's differentiated from "googlesucks.org" or whatnot. Then again, that doesn't differentiate it from "suckitgoogle.com", so maybe there's no point. ;)

Perhaps I should make a little app/site/whatever that lets you fill in your host and port, along with a set of domain/uid/pass combinations and have it spit out a bookmarklet for you?

Link to comment
Share on other sites

Yeah, "google\\.com" would be better, but you're right that at some point there are diminishing returns.

Glad it's working for you, danfozzy!


The owner of this website contacted me through email:


He mentioned the following to me:

They are changing the way the webui service works in the next version of utorrent to fix a possible exploit.

In a nut shell they are changing the service (/gui/) to not accept any commands unless it contains a token which you get from the ui before sending the action.

When is this happening. Can someone point me to more details?

Link to comment
Share on other sites

  • 2 months later...

Hi. I registered just now, so that I could thank you for this great little Javascript!

It works brilliantly from within my LAN (I haven't tried the webUI from WAN side, yet), but I'm sure it will work fine after a little tweaking to my firewall and NAT.

It works fine on uTorrent 1.8rc6 (with webUI 0.315) and my iPod Touch (2.0 Firmware). I'll go to someware with WiFi access and try it out.

kentyman - The only clue I could find about the changes you mentioned above was in this post: http://forum.utorrent.com/viewtopic.php?id=42218. A couple of the guys from this post were on that thread, but it seems to me that Firon seemed to know a little bit about it, so you might want to consider PM-ing (or emailing).


Link to comment
Share on other sites

The token auth system will indeed break this script, as each URL would require a (periodically changing) token to be included as a GET variable in order for µTorrent to accept the request. The token can't be determined via Javascript, so there wouldn't be any workaround for this script (other than to disable the token auth system entirely).

Link to comment
Share on other sites

If the token can't be determined via javascript how can the original webui work :P

A future system will probably require two requests. One to login and get the token. The second to do the actual request. As such this bookmarklet system is either gona break or be very complicated. Other community efforts might be more easily converted.

If the token system is enabled by default in future builds we'll just have to add something along the lines of "For this gadget to work the webui token system has to be disabled. Warning this will reduce the general security of your webui. You can disable the token system by setting webui.token_auth to false in the µtorrent advanced preferences." to the first post.

Link to comment
Share on other sites

As I said, you can't get the token auth to work with the bookmarklet via Javascript. The point behind the token auth system is to prevent a potential CSRF issue. If a bookmarklet could work around it, then it would be completely useless a system -- any website would be able to continue using the CSRF "exploit" as well ;\

In this case, flexibility is an unfortunate tradeoff for security.

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...