Jump to content

Supposed intentional security flaw?


Recommended Posts

A member of another site I'm on commented me with the following this morning:

"Just a little tip, utorrent 1.6 and onwards has a security flaw programed in to it, it can remote report your ip and dl history which is something you may well not want.

1.6 is apparently not to bad but 1.8 is riddled with crap.

I own a members torrent site with a php admin and assure you this is true. (we have all rolled back to 1.5, not so full of features but it runs like hell and as you say, its sweeet with the mem compared to azureus)

Any way, not telling you how to suck eggs or nowt, just trying to keep the p2p comunity safe"

What's with this, is this true or is this just some other paranoid hack trying to spread his paranoia? Does anyone even have any idea what he's talking about? Though I assume only the devs might have any idea...

Link to comment
Share on other sites

Haha that's what I said to him, where's the code, then?

I asked for his site's address too, but haven't gotten a response yet.

Thanks for the confirmation, I'll post back here with his site if this isn't locked by then, just for extra info or w/e.

Link to comment
Share on other sites

The staff rarely lock threads which actually encourage discussion. First thing I noticed.. the spelling and grammar. And in the absence of proof ... just think about the source. Take the ideology of people who listen to heresay and don't want to get an updated version of a program with more features and fixes and choose to tell others to do the same. If your way is right people will do themselves. Some groups try too hard with the FUD :/

Link to comment
Share on other sites

I only figured it might be locked cause it was addressed & answered promptly, no need for further if's and's or but's, but yeah that makes sense.

n I only even considered he might be right cause he was stating it as though he's versed with the code/protocol and knew first-hand. I still challenged it and asked for proof right away though, aside from reminding him that running Tor, keeping one's wireless unencrypted, and running PG2 make it pretty much totally unlikely that anything's going to happen. It's not all based on one's client in the first place.

I think the lack of proof was because it was some random 'hey whats up, by the way...' comment on a profile site in response to my blog entry of "µTorrent is the shit, I can't believe I used Azureus for so long." :P

edit:// "FUD"?

Link to comment
Share on other sites


Here's his response... no proof logs, but some bad press is pretty much all he has.

ill find out the full details for you, im not theprogramer but i assure you it is fact.

Its a hardcore music tracker, regs are closed for now im affraid.

this is ONE problem (not the one i said of)

Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data. Versions found to be vulnerable so far are the official BitTorrent 6.0 client,

uTorrent 1.7.x, uTorrent 1.6.x and uTorrent 1.8-alpha-7834.

Security vulnerabilities in BitTorrent clients are relatively rare, although not unheard of. Luigi Auriemma, a Milan-based security expert, claims to have found a vulnerability in various BitTorrent clients based on the way they handle user-supplied data. The flaw allows an attacker to crash the application, effectively denying service to legitimate users. Code execution is not possible, which means there is little reason for users to panic.

So far, the problem appears to affect these clients:

- BitTorrent 6.0 (build 5535)

- uTorrent 1.7.5 (build 4602)

- uTorrent 1.8 (alpha 7834)

Luigi is reporting that earlier versions of these clients may also be vulnerable and this appears to have been confirmed by the uTorrent team. The problems are confirmed to exist on Windows versions of the software. As yet, Mac and Linux versions of the official BitTorrent client have not been tested.

To read the full post follow below link


this is anouther one...

As many of you will know uTorrent was bought over by BitTorrent Inc recently.

After that there was much scaremongering over whether UT would sell off data to external comanies since bittorent had a deal with the MPAA.

I have it on a VERY reliable source that they are now watching you.

Advice is to downgrade to the 1.6 version:


I wouldnt post this if I didnt trust the guy telling me so please be aware.

If hes wrong then fine... but do you really want to risk it?

So, basically he can't back up his claim about reporting users' IPs, but he can back up some bad internet-press related to BT's acquisition of µT. Doof.

Link to comment
Share on other sites

About the DOS:

--- 2008-01-17: Version 1.8 alpha (build 7895)

- Change: Added link to forums on system tray icon

- Change: Add context menu for bandwidth allocation column in torrents listview

- Change: Close firewall entry of installing exe

- Change: Continue installing settings if installing to same path of exe

- Change: Add another hidden column to the files tab, "Name", that contains the original name of the individual file

- Fix: Saving of retargetted files relative to the torrent's download directory

- Fix: remote crash bug (affects all 1.6.x, 1.7.x, and 1.8 builds released to date)

--- 2008-01-15: Version 1.7.6 (build 7859)

- Change: do not use adapter subnet to identify local peers

- Fix: double-clicking to open items in RSS releases tab

- Fix: remote crash bug (affects all 1.7.x, and 1.8 builds released to date)

- Fix: limit local peers if disk is congested

Second post is crap ofc.

I wouldnt post this if I didnt trust the guy telling me so please be aware.

Such a comment only highlights the fact that there is no actual PROOF. It's just your typical 'trust me' FUD.

Link to comment
Share on other sites

1.6 is horribly buggy, lol. there's like 600 ways to exploit it and execute code (many more than just the malformed torrent exploit). The string handling is absolutely terrible. Under no circumstances should anyone use it.

The other bugs are really just crash bugs. Not code execution, just crashing your client.

If they honestly think a bug is an intentional security hole, they're complete morons.

Link to comment
Share on other sites

"Both the official BitTorrent and uTorrent clients are vulnerable to a remote denial-of-service attack, due to the way they handle user-supplied data."

Means nothing in and of itself.

If someone DDoS's your ip address, it doesn't automatically mean the client software is vulnerable...either the internet line, the Windows OS, any software firewalls, or lastly the client software may be causing the denial-of-service. Separating the culprit isn't as easy as it sounds...as numerous posts here have proven, what many people consider uTorrent problems are actually caused by OTHER software!

Link to comment
Share on other sites

I had to toss in my two cents here. First, examine the name of this topic - Intentional Security Flaw . How could any right-minded person think the writers of the most popular BT client (see TorrentFreak for stats) would intentionally build in a security flaw? Stuff like this happens by accident (hello Microsoft) and responsible folks let you know - I was using an old build and got the security update note pop-up and updated, something anyone does who is concerned about security flaws pays attention to, and the problem was addressed, as Lord Aderaan states, as soon as possible. One needs to read the intent as well as the content. Saying a bug is intentional is irresponsible and somewhat slanderous, IMO.

Link to comment
Share on other sites

Haha okay I get it, it was dumb to even consider it in the first place. Now that you put it that way.....

Anyway, haha he PMd me instead of just replying in the thread, n said "i really dont care, i was just passing on ifo, what you do with it is up to you..."


Link to comment
Share on other sites

now now... like begets like. I say ignorance is bliss until you're selling snake oil to someone else :P In this person's case they don't care about anything but talking to one (or however many people they PM) person and converting a few... because they lack the reasoning skills to make up their own decisions. ;) In any case, sheeple are everywhere so the only way to get rid of them is to educate.

Link to comment
Share on other sites

Holy hell, this guy just spammed my page for 5 hours, PMs, blogs, personal forum, everything. A bunch of illiterate childlike insults saying he has so much of a "vatly supirior intelect" than me and how I'm gay, etc. etc.

What a hassle. All because he heard from word-of-mouth that µTorrent was a scam and I shot him down.

Some people are so sad.

Link to comment
Share on other sites

You have a page?? OH on the tracker. :( Indeed. Some kiddies never grow up. (My uncle is an example of that) I guess it proves the point though... those who have a problem with uT have no basis in-fact and resort to ad-hominem and other things to distract the issue.

I still can't get over the fact, which Rama pointed out... why would someone code in a backdoor into a program.. unless we're talking about the NSA and Microsoft :P

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...