uTorrent parent company BitTorrent Inc has escaped a disaster of epic proportions after its code and financial information were exposed to the world earlier this year. The San Francisco company reportedly failed to secure its Jenkins panel which allowed passers-by to take control over pretty much the entire company. The person who reported the vulnerability has now chosen to go public with his findings after becoming upset by BitTorrent Inc’s failure to recognize his good deed.
With its uTorrent and BitTorrent mainline clients, BitTorrent Inc caters to more than 150 million monthly users.
Considering the size of this massive userbase, one doesn’t need a lot of imagination to come up with several disaster scenarios that might unfold should a malicious third-party gain access to all these clients. But that is exactly what could’ve happened earlier this year if it wasn’t for “MentaL”, an admin at RaGEZONE.
This Spring, MentaL was looking for a hosting provider for a friend when he stumbled upon the Jenkins panel of BitTorrent Inc. This turned out to be the gateway to a treasure trove of highly confidential information that could have destroyed the company if it had landed in the wrong hands.
“They forgot to set a user/pass to the admin panel, that had access to github from a master account. Github accounts had usernames and passwords that were linked to everything,” MentaL told TorrentFreak.
BitTorrent’s Jenkins panel
Luckily for BitTorrent Inc, MentaL wasn’t out to do harm. He contacted the company in May to report his findings and was duly thanked and promised a reward in return. BitTorrent Inc. quickly secured the Jenkins panel but to MentaL’s surprise no reward was forthcoming.
MentaL says that when he contacted BitTorrent Inc he was treated rudely and was eventually offered a $500 reward for which he should send an invoice. MentaL was insulted by this “low” offer and instead of taking it he decided to share his findings with the rest of the world. While he never copied any of the files available through the panel, he did take screenshots which show how severe the “leak” was.
Through the open Jenkins panel anyone had access to the heart of the company, including financial details, user accounts and the source code to pretty much all released and unreleased software including uTorrent.
“Anyone who had the access I had would be able to steal the source code of all BitTorrent products and more,” MentaL told TorrentFreak.
“Truth be told, I had access to so much content that I was really unaware of what most of it would and could do! But one extreme scenario that I could have done hypothetically if I was some idiot would be to tweak the actual live build and push an update that could include a virus that would destroy all user content who installed the update,” he adds.
uTorrent source code (more)
So, in theory, a malicious person could have updated millions of live torrent clients with viruses, or worse. In addition, it would be possible to reveal stacks of confidential documents including financial information and detailed job offerings.
“In regards to the financial documents, I only checked several and it included payments and balances to and from the company. Other documents I saw were job offers with introductory salaries that reached over $150,000 starting wage,” MentaL told us.
“It was quite extreme and shocking.”
Below is a screenshot of a letter that was sent to the Brazil consulate in Los Angeles. As MentaL has no intention of doing the company any permanent harm, the details of the letter have been redacted.
Letter to the consulate
In another screenshot several source files of BitTorrent’s software and databases are visible. In addition, MentaL tells us that he had access to username and passwords for SQL databases. Needless to say, there are plenty of possibilities to exploit this kind of data for nefarious purposes.
The above clearly shows that BitTorrent Inc has narrowly escaped a massive disaster. Perhaps they could have been a bit more appreciative of the way MentaL reported the problems, as that would have saved the company from having the rather embarrassing mistake out in the open.
“I felt I wanted to share and express my annoyance regarding the matter. They make millions a year in ad revenue alone and I never released, tweaked, sent fake builds or nothing out to any user and I feel insulted,” MentaL concludes.
TorrentFreak contacted BitTorrent Inc for a comment on the potential disaster and we will add their response when it comes in. It could be that they are still busy counting their blessings.