People who download torrents are being warned about a critical security flaw discovered in the BitTorrent transmission app, which allows hackers to take control of a users’ computer.
The flaw has been uncovered by security researcher Tavis Ormandy from Google’s Project Zero security team who tweeted about the flaw on Monday.
Ormandy said the flaw is present in transmission function, which allows users to control the BitTorrent app from their web browser. He also warned that BitTorrent clients are also susceptible to the flaw.
According to Ormandy, the flaw works on Windows devices running Chrome and FireFox, as well as on Linux.
Ormandy said the flaw was the “first of a few remote code execution flaws in various popular torrent clients”.
First of a few remote code execution flaws in various popular torrent clients, here is a DNS rebinding vulnerability Transmission, resulting in arbitrary remote code execution. https://t.co/kAv9eWfXlG
— Tavis Ormandy (@taviso) 11 January 2018
Ormandy and Google’s Project Zero were forced to go public with details about the flaw because BitTorrent’s transmission developers have apparently failed to patch it, despite being informed notified more than 40 days ago.
“I’m finding it frustrating that the transmission developers are not responding on their private security list, I suggested moving this into the open so that distributions can apply the patch independently. I suspect they won’t reply, but let’s see,” Ormandy wrote in his report.
“I’ve never had an open source project take this long to fix a vulnerability before, so I usually don’t even mention the 90-day limit if the vulnerability is in an open source project. I would say the average response time is measured in hours rather months if we’re talking about open source.”
According to ArsTechnica, the developers have said a patch will be rolled out “asap” but haven’t specified a date.