Researchers from Google have discovered two critical security flaws affecting the popular BitTorrent client uTorrent.
According to researchers, the flaws affect uTorrent’s web based and desktop client and allow hackers to plant malware on a user’s computer and view their download history.
Tavis Ormandy, security researcher with Google’s Project Zero went public with details of the security flaw after waiting 90 days after informing uTorrent of its discovery.
Project Zero gives vendors 90 days to patch any vulnerabilities it discovered. If they fail to meet the deadline they vulnerability is publicly disclosed.
Ormandy said the flaws can be easily exploited by hackers, making it possible for them to control key aspects of the torrent download client, including installing malware that becomes active the next time your start your PC.
The malware could be used to steal passwords, login credentials or other sensitive data.
In response, BitTorrent has said that the web version has already been patched and that it has rolled out a fix in the latest beta version of its uTorrent download client.
It added that it plans to push out the fix to all users later this week.
Until then you may want to take a chance on the beta release or avoid downloading torrents altogether until the patch is released to the full version.
“We highly encourage all uTorrent Web customers to update to the latest available build 0.12.0.502 available on our website and also via the in-application update notification,” a spokesperson for BitTorrent said in an email.
This isn’t the first time Ormandy and Project Zero have highlighted security issues with BitTorrent.
In January, the team were forced to go public on a security flaw in BitTorrent’s transmission app which could let hackers gain control of a user’s computer.
The BitTorrent transmission app allows users to control torrent downloads direct from Chrome or FireFox.
Ormandy wrote about his frustrations with BitTorrent for its delay in patching the flaw.
“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy wrote in his report.
“I’ve never had an open source project take this long to fix a vulnerability before, so I usually don’t even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we’re talking about open source.”