Supposed intentional security flaw?

[Neurot1k]

A member of another site I'm on commented me with the following this morning:

"Just a little tip, utorrent 1.6 and onwards has a security flaw programed in to it, it can remote report your ip and dl history which is something you may well not want.

1.6 is apparently not to bad but 1.8 is riddled with crap.

I own a members torrent site with a php admin and assure you this is true. (we have all rolled back to 1.5, not so full of features but it runs like hell and as you say, its sweeet with the mem compared to azureus)

Any way, not telling you how to suck eggs or nowt, just trying to keep the p2p comunity safe"

What's with this, is this true or is this just some other paranoid hack trying to spread his paranoia? Does anyone even have any idea what he's talking about? Though I assume only the devs might have any idea...

[Firon]

Totally and utterly wrong.

Note the total lack of proof anywhere. None of these morons ever post wireshark logs with proof.

[Neurot1k]

Haha that's what I said to him, where's the code, then?

I asked for his site's address too, but haven't gotten a response yet.

Thanks for the confirmation, I'll post back here with his site if this isn't locked by then, just for extra info or w/e.

[jewelisheaven]

The staff rarely lock threads which actually encourage discussion. First thing I noticed.. the spelling and grammar. And in the absence of proof ... just think about the source. Take the ideology of people who listen to heresay and don't want to get an updated version of a program with more features and fixes and choose to tell others to do the same. If your way is right people will do themselves. Some groups try too hard with the FUD :/

[Neurot1k]

I only figured it might be locked cause it was addressed & answered promptly, no need for further if's and's or but's, but yeah that makes sense.

n I only even considered he might be right cause he was stating it as though he's versed with the code/protocol and knew first-hand. I still challenged it and asked for proof right away though, aside from reminding him that running Tor, keeping one's wireless unencrypted, and running PG2 make it pretty much totally unlikely that anything's going to happen. It's not all based on one's client in the first place.

I think the lack of proof was because it was some random 'hey whats up, by the way...' comment on a profile site in response to my blog entry of "µTorrent is the shit, I can't believe I used Azureus for so long."

edit:// "FUD"?

[Firon]

Fear, Uncertainty, Doubt. Tactic often used to spread doubt about a software.

[Neurot1k]

Ah.

Here's his response... no proof logs, but some bad press is pretty much all he has.

ill find out the full details for you, im not theprogramer but i assure you it is fact.

Its a hardcore music tracker, regs are closed for now im affraid.

this is ONE problem (not the one i said of)

Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client,

uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.

Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.

So far, the problem appears to affect these clients:

- BitTorrent 6.0 (build 5535)

- uTorrent 1.7.5 (build 4602)

- uTorrent 1.8 (alpha 7834)

Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.

To read the full post follow below link

http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/

this is anouther one...

As many of you will know uTorrent was bought over by BitTorrent Inc recently.

After that there was much scaremongering over whether UT would sell off data to external comanies since bittorent had a deal with the MPAA.

I have it on a VERY reliable source that they are now watching you.

Advice is to downgrade to the 1.6 version:

http://www.oldversion.com/download.php?idlong=95ccfd8e291a3a8b89105e3f74499a70

I wouldnt post this if I didnt trust the guy telling me so please be aware.

If hes wrong then fine... but do you really want to risk it?

So, basically he can't back up his claim about reporting users' IPs, but he can back up some bad internet-press related to BT's acquisition of µT. Doof.

[Lord Alderaan]

About the DOS:

--- 2008-01-17: Version 1.8 alpha (build 7895)

- Change: Added link to forums on system tray icon

- Change: Add context menu for bandwidth allocation column in torrents listview

- Change: Close firewall entry of installing exe

- Change: Continue installing settings if installing to same path of exe

- Change: Add another hidden column to the files tab, "Name", that contains the original name of the individual file

- Fix: Saving of retargetted files relative to the torrent's download directory

- Fix: remote crash bug (affects all 1.6.x, 1.7.x, and 1.8 builds released to date)

--- 2008-01-15: Version 1.7.6 (build 7859)

- Change: do not use adapter subnet to identify local peers

- Fix: double-clicking to open items in RSS releases tab

- Fix: remote crash bug (affects all 1.7.x, and 1.8 builds released to date)

- Fix: limit local peers if disk is congested

Second post is crap ofc.

I wouldnt post this if I didnt trust the guy telling me so please be aware.

Such a comment only highlights the fact that there is no actual PROOF. It's just your typical 'trust me' FUD.

[Firon]

1.6 is horribly buggy, lol. there's like 600 ways to exploit it and execute code (many more than just the malformed torrent exploit). The string handling is absolutely terrible. Under no circumstances should anyone use it.

The other bugs are really just crash bugs. Not code execution, just crashing your client.

If they honestly think a bug is an intentional security hole, they're complete morons.

[Switeck]

"Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data."

Means nothing in and of itself.

If someone DDoS's your ip address, it doesn't automatically mean the client software is vulnerable...either the internet line, the Windows OS, any software firewalls, or lastly the client software may be causing the denial-of-service. Separating the culprit isn't as easy as it sounds...as numerous posts here have proven, what many people consider uTorrent problems are actually caused by OTHER software!

[Lord Alderaan]

The DOS he refers to, the one found by Luigi Auriemma, was a way to make the client crash (and thus deny service), it was real and it was fixed the same day it was brought to light.

http://torrentfreak.com/bittorrent-clients-vulnerable-to-remote-dos-attack-080117/

[Neurot1k]

Hahahaha, okay, thanks again guys.

[Ramalama1]

I had to toss in my two cents here. First, examine the name of this topic - Intentional Security Flaw . How could any right-minded person think the writers of the most popular BT client (see TorrentFreak for stats) would intentionally build in a security flaw? Stuff like this happens by accident (hello Microsoft) and responsible folks let you know - I was using an old build and got the security update note pop-up and updated, something anyone does who is concerned about security flaws pays attention to, and the problem was addressed, as Lord Aderaan states, as soon as possible. One needs to read the intent as well as the content. Saying a bug is intentional is irresponsible and somewhat slanderous, IMO.

[Neurot1k]

Haha okay I get it, it was dumb to even consider it in the first place. Now that you put it that way.....

Anyway, haha he PMd me instead of just replying in the thread, n said "i really dont care, i was just passing on ifo, what you do with it is up to you..."

douche

[jewelisheaven]

now now... like begets like. I say ignorance is bliss until you're selling snake oil to someone else In this person's case they don't care about anything but talking to one (or however many people they PM) person and converting a few... because they lack the reasoning skills to make up their own decisions. In any case, sheeple are everywhere so the only way to get rid of them is to educate.

[Neurot1k]

I tried, I kept referencing stuff you guys had said, but he kept trying to shoot it down with pseudo-facts until he finally gave up. Or, rather, stopped "trying to inform" me.

[Ramalama1]

I have always liked asking the question that starts out "What would I have to say to convince you that ____ is wrong" and then waiting for the sputtering to stop.

[Neurot1k]

Holy hell, this guy just spammed my page for 5 hours, PMs, blogs, personal forum, everything. A bunch of illiterate childlike insults saying he has so much of a "vatly supirior intelect" than me and how I'm gay, etc. etc.

What a hassle. All because he heard from word-of-mouth that µTorrent was a scam and I shot him down.

Some people are so sad.

[Firon]

I feel sorry for any user stuck on a tracker with him running it.

[jewelisheaven]

You have a page?? OH on the tracker. Indeed. Some kiddies never grow up. (My uncle is an example of that) I guess it proves the point though... those who have a problem with uT have no basis in-fact and resort to ad-hominem and other things to distract the issue.

I still can't get over the fact, which Rama pointed out... why would someone code in a backdoor into a program.. unless we're talking about the NSA and Microsoft

[Neurot1k]

haha no it's on IAM... the bmezine.com community page, not his tracker. he was never able to give me the URL before he went berzerk...