Torrents Time is a new technology that allows users to instantly download and watch torrented material right inside their browser. Users who want to use Torrents Time have to download its installer, which sets up a local Node.js server and also adds an extension to your browser.
According to developer,Andrew Sampson, the Torrents Time browser plugin that allows users to stream multimedia torrents in real time inside their browser is plagued by various security issues that range from XSS to MitM attacks.
Sites that employ it, like TPB and KAT, have to host a few files that allow the plugins to tap into their torrents database and query for torrent seeds and other data.Sampson says that this is where Torrents-Time plugin is vulnerable.
According to him, Torrents Time fails to implement CORS, leaves users vulnerable to attack. It does not properly implement CORS (Cross-Origin Resource Sharing), a crucial Web security mechanism that prevents resources from being loaded from different domains.
Sampson says that a potential hacker can create a specially crafted website loaded with malware to mimic a regular page (popup) created by TBP or KAT, and add their own malicious code, which, because of an improper CORS implementation, would be allowed to execute.
Another thing is that the JavaScript code delivered to the user’s browser by Torrents-Time could trickle down to the local Torrents Time Node.js server and query its API for details about the user. This function can be abused by advertisers to randomly check Internet users for those who have Torrent Time installed, and then collect information that can be used to track them online.
He also discovered that Torrents Time could also spy on users by tracking its users’ activity (IP, location, user agent, cookie, watched torrents, etc.).
According to Sampson, Mac users are at even more risk from using Torrents Time . This is because Torrents Time app for Mac runs as a root user.
A potential attacker abuses the app and installs malware on it. This is possible because Sampson discovered that the Torrent Time app could be forced to redownload the browser plugins at command and users will be forced to download a file from the attacker’s own server, probably infected with malware.
Sampson also said that, attackers could use malicious JS code to ping your local Torrents Time Node.js server with exactly 1024 bytes and force your CPU usage to remain between 50%-80% until the Torrents Time service is shut down or crashes.
Here's the Proof-Of-Concept code uploaded by Sampson.
