A security researcher is claiming that the Torrents Time plugin, which is meant to help users stream pirated movies and TV content through their web browsers, is actually insecure and vulnerable to malicious activity.
Andrew Sampson, a US-based security researcher and developer of Aurous and Strike, tore down the Torrents Time plugin, which is now being used to stream content from popular torrent sites such as Pirate Bay, Kickass Torrents and the streaming software client Popcorn Time.
He discovered the plugin contained a Trojan that would allow attackers to tracker users, force users to stream specific torrents of content they might not want to watch and even perform cross-site scripting (XSS) attacks whereby malicious code can be injected by an attacker and executed from a website. Plus, the plugin also apparently has root access on the Max OSX operating system.
But Sampson isn't the only one complaining about Torrents Time. Slipstream, a security researcher with LizardHQ – an information think tank founded by ex-LulzSec hackers – has also posted a proof of concept for several of the reported issues, as well as a report on GitHub showing how Torrents Time bundles together both SSL certificates and private keys.
"All sites should have analysed a bit more – blindly trusting closed source products is how you get yourself in a corner. This whole situation makes me feel bad I shut down my search engine Strike."
Popcorn Time.ag warning users to use only their version
Torrents Time has acknowledged that some of the reported issues are worrying and told Torrent Freak that it had patched the issue on 12 February, but it denies that it has deliberately tried to cause any harm to users.
The team behind one of the forks of Popcorn Time, namely PopcornTime.ag, has released a statement on Reddit warning its uses to patch their versions of Popcorn Time on its official website. There is no word yet from the European fork PopcornTime.se.
"That's not really a surprise, since we all know the dev team behind it, the shady SE fork. All we have seen from this group is Adware, a tracking service maliciously sold as a free VPN and a closed source software," PopcornTime.ag's developers wrote on Reddit.
"Our fork is now getting organised. Our community is willing to fix this security mess. The binaries are hot."
But Torrents Time rejects Sampson's analysis and says that jealousy is behind the attack on its plugin.
Team behind Torrents Time claims they're innocent
"Andrew Sampson, creator of the Aurous music streaming app, which was shut down after a law suit leading to Sampson's shame and heavy losses, apparently decided that if he was pulled down from the scene of content sharing, nobody should exist there. Apparently being hateful to everything around file sharing, he invents false accusations against Torrents Time with an aim to have it blocked or uninstalled. Or maybe he just wants the publicity, so he can finally find a job," Torrents Time's developers told IBTimes UK.
"It is obvious that he's really envious of Torrents Time corner-to-corner wide acceptance and warm welcome and he decided, apparently, to take it down, by making false accusations, each of which we'll tear up and expose the lack of truth or professionalism behind it."
Regarding the plugin being able to run as root in Mac OSX, Torrents Time says the plugin needs root permission in order to integrate with VPN applications to ensure users' anonymity. With regards to XSS attacks, the team says it has alerted all its partners to make sure that site operators make guarantee such attacks cannot be injected.
"Despite Sampson's hollow statements, Torrents Time does not enable attackers to control your computer! It's safe, user-friendly and fun," the developers stressed.