Wednesday, February 24, 2016

TOR web browser is a security nightmare

TOR is a network designed to let you access the Internet anonymously.  Torrents Time is a browser plugin that lets you download torrents and watch them directly in your browser.  It looks like it's a sucking chest wound of security fail:
Torrents Time is a new technology that allows users to instantly download and watch torrented material right inside their browser. Torrents Time benefits from a built-in VPN server and has seen a rise in popularity after The Pirate Bay (TPB) and Kickass Torrents (KAT), the Internet's biggest torrent portals, added live streaming buttons to their sites employing its technology.Users who want to use
...
Torrents Time fails to implement CORS, leaves users vulnerable to attack
According to Mr. Sampson, Torrents Time does not properly implement CORS (Cross-Origin Resource Sharing), a crucial Web security mechanism that prevents resources from being loaded from different domains.
This means that an attacker could create a malicious Web page that mimics a regular page (popup) created by TBP or KAT, and add their own malicious code, which, because of an improper CORS implementation, would be allowed to execute.
Mr. Sampson discovered that he could open a Torrents Time video player inside this malicious page and serve the user the torrent files they wanted. This could let the user think they're accessing a trustworthy Torrents Time video player, when, in reality, the attacker could be delivering malicious code in the background while the user is watching a movie.
If you use this, forewarned is forearmed.

5 comments:

SiGraybeard said...

So the issue is the Torrents Time plugin and not the TOR browser itself? The headline implies (well, states) the opposite.

I use TOR from time to time, mostly just to make sure it's available, working and I know how to run it should I need to. Never use Torrents at all on any machine.

Anonymous said...

Not supposed to use Tor for torrents anyways. Says so right on their site.

matism said...

I wonder how long it would have taken for this to be caught if the problem was NOT in an open-source product? And how sure one could be that the problem actually HAD been fixed when its owner had claimed to do so?

Archer said...

I'm assuming the quoted paragraphs are from an article somewhere. Could we get a link, to check out the whole thing?

Also, 2nd on SiGraybeard's comment: this seems to be a problem with the Torrents Time tech, not the TOR browser itself, right?

Borepatch said...

SiGraybeard, it's the Torrents Time plugin, not the browser. You are correct.