A critical flaw in the popular Transmission BitTorrent app could allow hackers to remotely control users' computers. The flaw, uncovered by Google Project Zero security researchers, allows websites to execute malicious code on users' devices. Researchers also warned that BitTorrent clients could be susceptible to attacks as well if the flaw is leveraged.
Project Zero researcher Tavis Ormandy posted a proof-of-concept attack, which exploits a specific Transmission function, via which the BitTorrent app can be controlled with the user's web browser. Ormandy reportedly used a hacking technique called the "domain name system rebinding" to come up with a way by which to remotely control the Transmission interface when a vulnerable user visits a malicious site. According to Ormandy, the exploit attack works on Chrome and FireFox on Windows as well as on Linux.
Ormandy wrote in a tweet that the flaw was the "first of a few remote code execution flaws in various popular torrent clients".
Google Zero disclosed the proof-of-concept attack just 40 days after the researchers sent a private report to Transmission, which also came with a patch that fixes the vulnerability. Usually, Project Zero refrains from disclosing flaws for 90 days or until the developer has released a patch. However, this time, Google Zero researchers went ahead with an early disclosure of the flaw because, despite having received Google's report and patch on the flaw over a month ago, Transmission developers have reportedly failed to apply it yet.
"I'm finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won't reply, but let's see," Ormandy said in a public report.
"I've never had an open source project take this long to fix a vulnerability before, so I usually don't even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we're talking about open source."
An official with Transmission told ArsTechnica that a fix is expected to be released "ASAP" but refrained from specifying an actual date.