TorrentFreak

The place where breaking news, BitTorrent and copyright collide

Seedboxes Beware: Major Bug in TorrentFlux-b4rt

A seedbox supplier is warning of a serious bug just discovered in TorrentFlux-b4rt. The exploit, found by one of their customers, allows a user on a shared server to obtain torrents uploaded by other users. This enables the attacker to obtain another user’s unique passkey and masquerade as them on private trackers

seedboxTorrentFlux-b4rt is a popular spin-off of TorrentFlux, an open source web based system for managing BitTorrent downloads on seedboxes. The main user interface is accessed via a web browser and it widely used by members of private BitTorrent trackers.

A member of support staff at Xirvik, a company selling seedboxes and other related services, told us a little about b4rt and the serious exploit one of their customers has just discovered.

“Torrentflux-b4rt is one of the major fully multi-user BitTorrent frontends that exist. It supports several clients (such as BitTornado and Transmission), the source code is available, and it’s been around for a long time.”

Xirvik told TorrentFreak that they have discovered a major bug in TorrentFlux-b4rt, one which could lead to users having access to other users’ torrents. While that might not initially sound that threatening, for private tracker users it constitutes quite a security breach. Contained in those .torrent files is the user’s unique torrent passkey which allows sharing on a private site. Getting access to this allows the attacker to masquerade as the other user on private trackers

A user can access another user’s torrents if he already knows the exact name of the torrent (easy to find from any search engine) and provided, of course, it is present on the server.

“Given a torrent with a name such as Ubuntu.8.10.Server-CANONICAL.torrent that already exists on the server, another user could upload another torrent with the name ubuntu.8.10.server-canonical.torrent (not necessarily all lowercase – just one different character is enough) and get access to the first file,” Xirvik explains.

Luckily Xirvik has not only found the bug and reported it, but have also worked on a fix which can be found here on the TorrentFlux-b4rt forums.

Related Posts

Previous Post | Next Post

  • Fail

    Regular torrentflux is unaffected?

  • Koekje

    Wouldn’t appear so.

  • Factx

    Thanks for that report!

    btw, anybody use torrentflux from leaseweb? me and a friend have had problems reaching tracker.thepiratebay.org from there..

    torrentflux rules..

  • Adam

    There are many bugs in torrentflux-b4rt, last time a version came out was march 2008, i highly doubt this will ever get fixed.

  • ME

    There were quite a few bugs last time I used b4rt, but its still a sweet torrent program

  • John

    At first i thought you meant the private trackers username/pass. Just the session key to the tracker is far more timid.

    Surely these sorts of keys would expire after a short period of time…?

  • Anonymous

    Why the hell would you use a seedbox on tpb?

  • heh

    #3: You’re an idiot, plain and simple.

    #6: No. Your passkey is set when you create your account and can only be reset by a staff member in emergency cases.

  • Private Trackers Fail Again

    Fails again.

    “Private trackers” are sooo much better we hear from wise-A**es here all the time!

    Bullshit!

    Yet another example of programs that can be used to screw members on a “Private tracker”

    Elsewhere, “Private tracker” – Not really private, due to the mass of users.

  • josh

    Good thing I set up my own seedbox on my vps.

  • levitron

    Mr. Private Tr.F.A.
    You talk like a nOOb that got banned on a P.T. so now you bash them.
    go back to your Public tracker and keep quiet or I’ll tell your mom to ground you from yr computer.

  • money

    @levitron
    hahah pwnd.

    But yeah i dont see the point of a private tracker. i have a demonoid account but most everything i need is on the piratebay. Im not dissing private trackers, but people shouldnt be snobs about it. basically the only advantage is the personal aspect, talking to people and sharing files. Of course i always love Tpb’s comments page haha

  • PetFoodz.Info

    Demonoid is great.. Lots of rare gems not found elsewhere..

  • Anonymous

    Aside from this flaw that could happen to anything there is some other reasons I really dislike “private trackers” and here are some of them:

    - Those people make some ridiculous rules and act like those rules are the word of God. I read the rules from a lot of private trackers and what I can say is that even dictatorships are more open LoL

    - The managers are paranoid beyond believe. Don’t you dare say something that could be constructed as a critic, seriously! anything at all, better never, ever write to anybody about it or you are banned, the MAFIAA is bad but some private trackers as just as bad. I never was banned but I saw people asking “why” and being banned.

    - The speed is the same on public and private for me so I don’t see the point to have to bear those rules that make any dictatorship feel like freedom.

    - Private trackers claim that privacy is better. Well those people or are morons or they have an agenda behind it because you cannot seriously say that a central server, with a known location and on which regularly complete strangers join in and have to track your IP and client to know and define your ratio can be “private” and secure.

    - If there is a problem you have to deal with those same people that would ban anyone for anything and some of them are hyper-narcissists so you have to thread very carefully.

    It is just not worth the hassle for me. But there are people who like it, and it is a choice but please don’t say it is secure or private, brag about speed if you must because I don’t see a difference because my connection is so fast but others in the pre-historic U.S. broadband (if you can call it that) may see a difference LoL

  • firstnoob

    My issue with Torrentflux-b4rt (Transmission back-end) was that it opened up a new python process for every torrent. Having 100+ python processes running was rather unacceptable.

    So I switched to rtorrent + wtorrent webgui, and never looked back. The ajax in wtorrent makes checking status on your torrents seamless without refreshing the page. Highly recommended setup if you have patience to setting it up.

  • bluber

    why pay for seedboxes when usenet is so much better

    n00bs

  • bluber

    _______________________________________

  • Stupid

    The BUG is that PIRATES are running the store. WHO in his right mind would trust PIRATES with their personal data??

  • CF

    18 you’re right, trust RIAA instead.

  • Dave Evans

    rtGui FTW! http://rtgui.googlecode.com I’m an old TorrentFlux user, but since finding rtGui a year or two ago haven’t looked back.

  • Anonymous

    @16,18: ignorance is bliss

  • dom.player

    what is the difference between torrentflux-b4rt and http://torrentflux.com ???

    i know i need a seedbox, but which is better?

  • Anonymous

    Even though i only share my seedbox with close friends, i went to my seedbox hosting company website all prepared to open a support ticket. But they had already fixed it and put up a blog post about it. http://seedboxhosting.com/seedbox/151/patch-applied-to-all-torrentflux-b4rt-seedboxes

    ha.. that was fast! That is one reason to have a good seedbox – don’t have to fuss with this kinda shit myself.

    #14: There are many other reasons for using private trackers that you may not have thought of. For instance, quality control… I don’t have to wade through tons of crap to find a good release of something – the community and uploaders make sure that duplicates and less than perfect torrents are not to be found. Instead, you get just one of everything in every format with well laid out tagging and categorization structures.

    And yea, the speeds are faster no matter what country you are from.

  • HNicolai

    That’s why you should use µTorrent WebUI :P

  • Duek

    Whats better, wtorrent or rtgui ?

  • Anonymous

    The pic is hilarious :D

  • helnwein

    wTorrent here. 8 core, 16gb ram, 8tb hd space, 1gbit/1gbit connection.

  • Dave Evans

    rtGui here. 1 core, 128Mb, 20Gb HD, ADSL. Runs like a dream ;)

  • helnwein

    @28 haha very nice!

  • Zoness

    Private trackers speeds are so much better than public trackers I don’t know where people get the garbage idea that they aren’t from.

  • Anonymous

    Passkeys want to be shared. Everyone should share their passkeys. How is it fair that some people have passkeys and others don’t? Having passkeys is a fundamental, inalienable human right. When someone takes your passkey and uses it what they are doing is complimenting you on having such a nice passkey and you should thank them for sharing it.

  • Mikey

    #3: You’re an idiot, simple as that!..

    Torrent flux is crap…better of getting a Dedicated Server and installing u-torrent :)

  • loltorrents

    LOL!LOL!LOL!LOL!… torrents LOL!LOL!LOL!

  • jon smith

    utorrent FTW! I have used multiple seedboxes running Torrent flux , and imo its a system hog .

    recently got a utorrent

    seedboxand it works better then my previous Torrent flux seedboxes

  • Anonymous

    xzxczxczx
    cz

  • omfg

    I have patched it ==_

  • John

    Noticed this a while ago on my xirvik account. I knew I could get other user’s .torrent files from private sites, but I didn’t realise what that could mean! :)

  • =

    amazing @14

  • anon

    I use rtorrent with no web ui since it uses resources and i like to have as many torrents running as possible.

    If you do want one I suggest rtgui, but there is a new one about called rutorrent that looks exactly like the utorrent one, only for rtorrent. They are both with google code.

  • Factx

    #8 & #32: Yea sure, and you guys must be the smartest ppls around..

    I have a dedicated server and torrent flux works great for me.

    If you have some other suggestions come with them instead of acting like 3 year olds..

  • BTGuard - BitTorrent Anonymously

NewsBits

Even more news...

  • The Pirate Bay Isn’t Down Completely, Just Having a Few Issues

    Twitter and Facebook, not to mention the TorrentFreak inbox, are currently alive with complaints that The...

  • Pirate Bay Founder Gottfrid Svartholm on Freedom of Speech

    Freedom of speech is a highly valued commodity, but should people be allowed to say whatever...

  • Blu-ray Anti-Piracy Tech Stops Discs and Promotes Purchases

    An anti-piracy system present in all official Blu-ray players since 2012 has received a fresh update...

  • Foxtel Breeds Pirates by Locking Up Game of Thrones

    One of the main reasons why people turn to piracy is the lack of legal alternatives....

  • UK Student Admits Breaching Sony Copyrights With Leak of PS3 SDK

    Last year an Internet user known as El Nomeo leaked version 3.70 of Sony’s Playstation3 SDK...

MostDiscussed

Below are TorrentFreak's most discussed articles of the past month. Join the discussion if you like.

CopyQuote

Left Quote

“The Pirate Bay has been one of the most important movements in Sweden for freedom of speech, working against corruption and censorship.

Peter Sunde Left Quote

PopularArticles

A selection of some TorrentFreak's classics dug up from our archives.