Security researchers at Google's Project Zero Team have found a critical vulnerability in the popular torrent client called BitTorrent.
BitTorrent app as we all know, is a very popular torrent client that many people use for peer-to-peer sharing of files, games, videos and other things.
According to Ars Technica, this vulnerability can be exploited by hackers and used to execute malicious code on user's computer.
Normally, Google's Project Zero team won't announce to the public about the vulnerability until a period of 90 days. In this case, the vulnerability was made public within 40 days because the report also contained a patch for it. The team also shared a proof-of-concept attack code.
The report explains how the flaw found on the BitTorrent app uses domain name system rebinding to control the Transmission interface whenever the victim visits a malicious website. After gaining control of the Transmission interface, the hacker(s) would then change the torrent download directory to home and download a torrent file named .bashrac. With this, the hacker(s) can configure the Transmission to run any command after the download has completed.First of a few remote code execution flaws in various popular torrent clients, here is a DNS rebinding vulnerability Transmission, resulting in arbitrary remote code execution. https://t.co/kAv9eWfXlG— Tavis Ormandy (@taviso) January 11, 2018
Also, it is worth to note that the Transmission developers claims to have a fix for this, though no date have been shared on when the release would be made available.