Torrents Time
Security researchers are claiming that the new Torrents Time plugin that lets users stream pirated content also harbours a nasty TrojanTorrents Time

A security researcher is claiming that the Torrents Time plugin, which is meant to help users stream pirated movies and TV content through their web browsers, is actually insecure and vulnerable to malicious activity.

Andrew Sampson, a US-based security researcher and developer of Aurous and Strike, tore down the Torrents Time plugin, which is now being used to stream content from popular torrent sites such as Pirate Bay, Kickass Torrents and the streaming software client Popcorn Time.

He discovered the plugin contained a Trojan that would allow attackers to tracker users, force users to stream specific torrents of content they might not want to watch and even perform cross-site scripting (XSS) attacks whereby malicious code can be injected by an attacker and executed from a website. Plus, the plugin also apparently has root access on the Max OSX operating system.

But Sampson isn't the only one complaining about Torrents Time. Slipstream, a security researcher with LizardHQ – an information think tank founded by ex-LulzSec hackers – has also posted a proof of concept for several of the reported issues, as well as a report on GitHub showing how Torrents Time bundles together both SSL certificates and private keys.

"In a gist, the main findings of this report is that Torrents Time is a privacy and security nightmare, not only does it open users up to drive-by attacks, it can easily open users up to malicious downloads/forced piracy by anyone who can write a few lines of code. One of the bigger concerns here is XSS, something that allows you to execute JavaScript on someone else's domain. This can open sites up to having users sensitive information stolen or – worse – exposing anonymity," Sampson told IBTimes UK.

"All sites should have analysed a bit more – blindly trusting closed source products is how you get yourself in a corner. This whole situation makes me feel bad I shut down my search engine Strike."

Popcorn Time.ag warning users to use only their version

Torrents Time has acknowledged that some of the reported issues are worrying and told Torrent Freak that it had patched the issue on 12 February, but it denies that it has deliberately tried to cause any harm to users.

The team behind one of the forks of Popcorn Time, namely PopcornTime.ag, has released a statement on Reddit warning its uses to patch their versions of Popcorn Time on its official website. There is no word yet from the European fork PopcornTime.se.

"That's not really a surprise, since we all know the dev team behind it, the shady SE fork. All we have seen from this group is Adware, a tracking service maliciously sold as a free VPN and a closed source software," PopcornTime.ag's developers wrote on Reddit.

"Our fork is now getting organised. Our community is willing to fix this security mess. The binaries are hot."

But Torrents Time rejects Sampson's analysis and says that jealousy is behind the attack on its plugin.

Team behind Torrents Time claims they're innocent

"Andrew Sampson, creator of the Aurous music streaming app, which was shut down after a law suit leading to Sampson's shame and heavy losses, apparently decided that if he was pulled down from the scene of content sharing, nobody should exist there. Apparently being hateful to everything around file sharing, he invents false accusations against Torrents Time with an aim to have it blocked or uninstalled. Or maybe he just wants the publicity, so he can finally find a job," Torrents Time's developers told IBTimes UK.

"It is obvious that he's really envious of Torrents Time corner-to-corner wide acceptance and warm welcome and he decided, apparently, to take it down, by making false accusations, each of which we'll tear up and expose the lack of truth or professionalism behind it."

Torrents Time says that it has fixed the problem so that site operators cannot force users to download torrents they don't want to watch. Regarding the user tracking, the team says it used an open source XHR function code and a "normal Javascript XHR object" that can already be found in the browser.

Regarding the plugin being able to run as root in Mac OSX, Torrents Time says the plugin needs root permission in order to integrate with VPN applications to ensure users' anonymity. With regards to XSS attacks, the team says it has alerted all its partners to make sure that site operators make guarantee such attacks cannot be injected.

"Despite Sampson's hollow statements, Torrents Time does not enable attackers to control your computer! It's safe, user-friendly and fun," the developers stressed.