Seedboxes Beware: Major Bug in TorrentFlux-b4rt
Written by enigmax on August 09, 2009A seedbox supplier is warning of a serious bug just discovered in TorrentFlux-b4rt. The exploit, found by one of their customers, allows a user on a shared server to obtain torrents uploaded by other users. This enables the attacker to obtain another user’s unique passkey and masquerade as them on private trackers
TorrentFlux-b4rt is a popular spin-off of TorrentFlux, an open source web based system for managing BitTorrent downloads on seedboxes. The main user interface is accessed via a web browser and it widely used by members of private BitTorrent trackers.
A member of support staff at Xirvik, a company selling seedboxes and other related services, told us a little about b4rt and the serious exploit one of their customers has just discovered.
“Torrentflux-b4rt is one of the major fully multi-user BitTorrent frontends that exist. It supports several clients (such as BitTornado and Transmission), the source code is available, and it’s been around for a long time.”
Xirvik told TorrentFreak that they have discovered a major bug in TorrentFlux-b4rt, one which could lead to users having access to other users’ torrents. While that might not initially sound that threatening, for private tracker users it constitutes quite a security breach. Contained in those .torrent files is the user’s unique torrent passkey which allows sharing on a private site. Getting access to this allows the attacker to masquerade as the other user on private trackers
A user can access another user’s torrents if he already knows the exact name of the torrent (easy to find from any search engine) and provided, of course, it is present on the server.
“Given a torrent with a name such as Ubuntu.8.10.Server-CANONICAL.torrent that already exists on the server, another user could upload another torrent with the name ubuntu.8.10.server-canonical.torrent (not necessarily all lowercase – just one different character is enough) and get access to the first file,” Xirvik explains.
Luckily Xirvik has not only found the bug and reported it, but have also worked on a fix which can be found here on the TorrentFlux-b4rt forums.
Previously: uTorrent’s 2.0 Beta Finally a Good Citizen
Next: 14-24 Year Olds Pirate 8,000 Music Tracks Each
40 Responses
Regular torrentflux is unaffected?
Wouldn’t appear so.
Thanks for that report!
btw, anybody use torrentflux from leaseweb? me and a friend have had problems reaching tracker.thepiratebay.org from there..
torrentflux rules..
There are many bugs in torrentflux-b4rt, last time a version came out was march 2008, i highly doubt this will ever get fixed.
There were quite a few bugs last time I used b4rt, but its still a sweet torrent program
At first i thought you meant the private trackers username/pass. Just the session key to the tracker is far more timid.
Surely these sorts of keys would expire after a short period of time…?
Why the hell would you use a seedbox on tpb?
#3: You’re an idiot, plain and simple.
#6: No. Your passkey is set when you create your account and can only be reset by a staff member in emergency cases.
Fails again.
“Private trackers” are sooo much better we hear from wise-A**es here all the time!
Bullshit!
Yet another example of programs that can be used to screw members on a “Private tracker”
Elsewhere, “Private tracker” – Not really private, due to the mass of users.
Good thing I set up my own seedbox on my vps.
Mr. Private Tr.F.A.
You talk like a nOOb that got banned on a P.T. so now you bash them.
go back to your Public tracker and keep quiet or I’ll tell your mom to ground you from yr computer.
@levitron
hahah pwnd.
But yeah i dont see the point of a private tracker. i have a demonoid account but most everything i need is on the piratebay. Im not dissing private trackers, but people shouldnt be snobs about it. basically the only advantage is the personal aspect, talking to people and sharing files. Of course i always love Tpb’s comments page haha
Demonoid is great.. Lots of rare gems not found elsewhere..
Aside from this flaw that could happen to anything there is some other reasons I really dislike “private trackers” and here are some of them:
- Those people make some ridiculous rules and act like those rules are the word of God. I read the rules from a lot of private trackers and what I can say is that even dictatorships are more open LoL
- The managers are paranoid beyond believe. Don’t you dare say something that could be constructed as a critic, seriously! anything at all, better never, ever write to anybody about it or you are banned, the MAFIAA is bad but some private trackers as just as bad. I never was banned but I saw people asking “why” and being banned.
- The speed is the same on public and private for me so I don’t see the point to have to bear those rules that make any dictatorship feel like freedom.
- Private trackers claim that privacy is better. Well those people or are morons or they have an agenda behind it because you cannot seriously say that a central server, with a known location and on which regularly complete strangers join in and have to track your IP and client to know and define your ratio can be “private” and secure.
- If there is a problem you have to deal with those same people that would ban anyone for anything and some of them are hyper-narcissists so you have to thread very carefully.
It is just not worth the hassle for me. But there are people who like it, and it is a choice but please don’t say it is secure or private, brag about speed if you must because I don’t see a difference because my connection is so fast but others in the pre-historic U.S. broadband (if you can call it that) may see a difference LoL
My issue with Torrentflux-b4rt (Transmission back-end) was that it opened up a new python process for every torrent. Having 100+ python processes running was rather unacceptable.
So I switched to rtorrent + wtorrent webgui, and never looked back. The ajax in wtorrent makes checking status on your torrents seamless without refreshing the page. Highly recommended setup if you have patience to setting it up.
why pay for seedboxes when usenet is so much better
n00bs
_______________________________________
The BUG is that PIRATES are running the store. WHO in his right mind would trust PIRATES with their personal data??
18 you’re right, trust RIAA instead.
rtGui FTW! http://rtgui.googlecode.com I’m an old TorrentFlux user, but since finding rtGui a year or two ago haven’t looked back.
@16,18: ignorance is bliss
what is the difference between torrentflux-b4rt and http://torrentflux.com ???
i know i need a seedbox, but which is better?
Even though i only share my seedbox with close friends, i went to my seedbox hosting company website all prepared to open a support ticket. But they had already fixed it and put up a blog post about it. http://seedboxhosting.com/seedbox/151/patch-applied-to-all-torrentflux-b4rt-seedboxes
ha.. that was fast! That is one reason to have a good seedbox – don’t have to fuss with this kinda shit myself.
#14: There are many other reasons for using private trackers that you may not have thought of. For instance, quality control… I don’t have to wade through tons of crap to find a good release of something – the community and uploaders make sure that duplicates and less than perfect torrents are not to be found. Instead, you get just one of everything in every format with well laid out tagging and categorization structures.
And yea, the speeds are faster no matter what country you are from.
That’s why you should use µTorrent WebUI :P
Whats better, wtorrent or rtgui ?
The pic is hilarious :D
wTorrent here. 8 core, 16gb ram, 8tb hd space, 1gbit/1gbit connection.
rtGui here. 1 core, 128Mb, 20Gb HD, ADSL. Runs like a dream ;)
@28 haha very nice!
Private trackers speeds are so much better than public trackers I don’t know where people get the garbage idea that they aren’t from.
Passkeys want to be shared. Everyone should share their passkeys. How is it fair that some people have passkeys and others don’t? Having passkeys is a fundamental, inalienable human right. When someone takes your passkey and uses it what they are doing is complimenting you on having such a nice passkey and you should thank them for sharing it.
#3: You’re an idiot, simple as that!..
Torrent flux is crap…better of getting a Dedicated Server and installing u-torrent :)
LOL!LOL!LOL!LOL!… torrents LOL!LOL!LOL!
utorrent FTW! I have used multiple seedboxes running Torrent flux , and imo its a system hog .
recently got a utorrent
seedboxand it works better then my previous Torrent flux seedboxes
xzxczxczx
cz
I have patched it ==_
Noticed this a while ago on my xirvik account. I knew I could get other user’s .torrent files from private sites, but I didn’t realise what that could mean! :)
amazing @14
I use rtorrent with no web ui since it uses resources and i like to have as many torrents running as possible.
If you do want one I suggest rtgui, but there is a new one about called rutorrent that looks exactly like the utorrent one, only for rtorrent. They are both with google code.
#8 & #32: Yea sure, and you guys must be the smartest ppls around..
I have a dedicated server and torrent flux works great for me.
If you have some other suggestions come with them instead of acting like 3 year olds..
Responses are closed
All remaining responses will continue to be archived. Use the TorrentFreak forums if you want to discuss something.