Anyone using torrents to download files has knowingly or unknowingly accepted the security risks that come with it. Even websites hosting torrent links can hurt you, not just bad torrent clients with adware or corrupted files. But when one of the internet’s most popular torrent download client is compromised, it could turn into a crisis.
Google Project Zero researcher Tavis Ormandy discovered bugs in uTorrent that allows websites to control, access, and spy on your computers.
Ormandy found two different versions of uTorrent vulnerable to a number of easy-to-exploit vulnerabilities which allow attackers to run codes, access download files, and read the download histories of the user. According to Project Zero, the vulnerabilities have been discovered in both the Windows app and the web version of uTorrent.
One thing to note here is that the vulnerabilities themselves don’t do anything, rather they provide websites a chance to exploit security gaps and download malicious code into Windows startup folder which will run when you boot up the PC. Once the code is executed, websites can easily access downloaded files and browse download history easily.
Since the vulnerabilities can only be exploited if you visit malicious websites, even if you are using uTorrent, if you have kept your visits restricted to safe websites, your download data might still be safe.
As far as the fix of these bugs is concerned, Dave Rees, VP of Engineering at BitTorrent, the developer of the uTorrent apps has sent an email saying that the bugs have been fixed in the beta version of the app and will soon be released to the stable versions. He also urged users to update the uTorrent web app to build 0.12.0.502 by either by visiting uTorrent website or via the in-app update notification.