TorrentFlux-b4rt is a popular spin-off of TorrentFlux, an open source web based system for managing BitTorrent downloads on seedboxes. The main user interface is accessed via a web browser and it widely used by members of private BitTorrent trackers.
A member of support staff at Xirvik, a company selling seedboxes and other related services, told us a little about b4rt and the serious exploit one of their customers has just discovered.
“Torrentflux-b4rt is one of the major fully multi-user BitTorrent frontends that exist. It supports several clients (such as BitTornado and Transmission), the source code is available, and it’s been around for a long time.”
Xirvik told TorrentFreak that they have discovered a major bug in TorrentFlux-b4rt, one which could lead to users having access to other users’ torrents. While that might not initially sound that threatening, for private tracker users it constitutes quite a security breach. Contained in those .torrent files is the user’s unique torrent passkey which allows sharing on a private site. Getting access to this allows the attacker to masquerade as the other user on private trackers
A user can access another user’s torrents if he already knows the exact name of the torrent (easy to find from any search engine) and provided, of course, it is present on the server.
“Given a torrent with a name such as Ubuntu.8.10.Server-CANONICAL.torrent that already exists on the server, another user could upload another torrent with the name ubuntu.8.10.server-canonical.torrent (not necessarily all lowercase – just one different character is enough) and get access to the first file,” Xirvik explains.
Luckily Xirvik has not only found the bug and reported it, but have also worked on a fix which can be found here on the TorrentFlux-b4rt forums.