Over the past two weeks Torrents-Time has made headlines on hundreds of news sites.
While streaming torrents is nothing new, it quickly reached a mainstream audience when several of the largest torrent sites adopted the technology.
Earlier this week TorrentFreak learned that the implementation hadn’t gone flawlessly on all sites. For example, The Pirate Bay is now vulnerable to XSS attacks.
This allows outsiders to execute code on the site, as shown by this example.
While Torrents-Time isn’t necessarily to blame for this issue, the software’s popularity also prompted some developers to look for other possible security concerns in the application.
Aurous and Strike developer Andrew Sampson took the software apart and summarized several findings on his personal website, ultimately characterizing Torrents-Time as unsafe.
Among other things, the software is accused of running as root on OSX, leaking private information, and making it possible for outsiders to launch torrents without the user’s knowledge.
“It’s like leaving your door open, if not worse, giving a complete stranger the keys to your house, with no background check and blindly trusting them,” Sampson tells TorrentFreak.
While some of the issues are indeed causing concern, Torrents-Time’s developers counter that several reports contain incorrect statements and half-truths.
The XSS vulnerability was triggered by The Pirate Bay’s implementation, they say, and some of the privacy issues being highlighted apply to most sites and services.
Torrents-Time does acknowledge that it was possible for third parties to start torrents without the user’s knowledge. This will be fixed in an automatic update later today, after which users have to grant explicit permission.
It’s also true that Torrents-Time has root access on OSX, but according to the Torrents-Time team this is required to integrate the VPN service.
Torrents-Time’s full response to Sampson’s article is available here.
Meanwhile, Torrents-Time is also receiving pushback from other angles. AVG is now categorizing the application as Adware, which is a false positive according to the developers. In addition ad-blockers briefly flagged the streaming links on The Pirate Bay, but this is no longer the case now.
Nevertheless, the developers are confident that they can deliver a quality product.
“We are more than eager to have an efficient and safe product. We undertake to rectify any flaw and deal with any threat to users and sites alike,” the Torrents-Time team informs us.
Perhaps it’s a no-brainer, but users visiting torrent sites should always proceed with care and with Torrents-Time the situation is no different.
Update: Slipstream points out that Torrents-Time bundles SSL certificates and private keys (they’re now revoked). He also published a proof of concept for several other the reported issues here.