Torrents Time could let attackers control what you stream in your browser

Torrents Time could let attackers control what you stream in your browser

If you use the Torrents Time browser plugin to stream videos from torrents on trackers like The Pirate Bay, you probably already know that’s illegal. But it’s potentially dangerous to use as well.

Developer Andrew Sampson, who gave us apps for simulating fullscreen mode for windowed games and a way to decide what to watch on Netflix, has found glaring issues in Torrents Time’s code.

F**k it, we'll do it live!

Our biggest ever edition of TNW Conference is fast approaching! Join 10,000 tech leaders this May in Amsterdam.

According to Sampson, the plugin appears to be attempting to run an entire torrent client in your browser. Because it’s poorly coded, it misuses the cross-origin resource sharing (CORS) mechanism and could allow malicious sites to stream files other than what you wanted to watch. It also logs your IP address and location.

Torrents Time also seems to use between 50 and 80 percent of your computer’s CPU cycles, which is entirely unnecessary and symptomatic of flawed coding.

You’re better off uninstalling the plugin for now, even if it does mean losing the ability to stream torrents in your browser.

Update: The Torrents Time team has shared a response to Sampson’s comments. Concerning the issues we’ve highlighted above, the group said:

User Tracking/Privacy: The full code of the XHR function which Sampson copied a part of, can be found here on line 712. It’s not that he dissected the application to retrieve it. It’s an open source code.

Had he been honest or a pro or both, he would know and mention that Torrents Time is using the standard Javascript XHR object which is already in the browser.

It is thus obvious to anybody with some knowledge of the matter (or who has no hidden agenda) that Torrents Time has no issue of CORS. None whatsoever. Sampson appears not to be the expert he claims to be (or he has a hidden agenda).

Skyrocketing CPU usage: Even clever Mr. Sampson doesn’t know why he’s machine consumes so much of his CPU or crashes. He may have installed a virus of his own. We’ve not have had a similar complaint from normal users, but if we do, we’ll fix it. We know how to and we want the users to enjoy Torrents Time. Crashing their computers is not something we want.

Despite Sampson’s hollow statements, Torrents Time does not enable attackers to control your computer! It’s safe, user-friendly and fun.

Torrents-time Security Issues [Andrew Sampson via Gizmodo]

Read next: There's now an online stock market for sneakers

Shh. Here's some distraction

Comments