It seems that almost everyone involved in the world of torrents has been fading time to wax lyrical about the Torrents Time plugin that has recently popped up on the radar. The plugin is a cross-browser installation that essentially allows anyone attempting to access a torrent to stream it in real-time rather than actually download the full contents to the hard disk of the machine. Providers of torrent services may be adopting Torrents Time in their droves, but it appears that all may not be as it seems, with a dissection of the plugin revealing some interesting and potentially worrying security flaws.
The Pirate Bay and Kickass Torrents are two of the larger, well-known torrent sites to instantly jump on the Torrents Time bandwagon. Both services have integrated a set of functionality based on Torrents Time that allows users to stream torrents from within the browser rather than actually having to download the content. But of course, as you would expect, in an effort to stay relevant and compete with those at the top, a number of smaller torrent sites are also integrating the plugin on an almost daily basis. That seems great for those who want to use such services, but a dissection of the plugin seems to suggest that the Torrents Time software contains some issues that seriously need addressing from a security perspective.
The Torrents Time platform is essentially attempting to replicate the functionality of an entire torrent client from directly within a webpage on a browser, and this isn’t exactly an easy task to accomplish by anyone’s standards. The investigation into the plugin suggests that in order to achieve that level of functionality the developers behind it have included some “creative programming” techniques, which in turn have highlighted some serious security flaws due to the abuse of cross-origin resource sharing (CORS).
In its simplest form, CORS is the method by which one website requests resources from another web page in order to carry out its task. It has been found that the way in which this feature is setup could potentially expose the user’s real IP address as well as compromise the actual content that’s being downloaded/streamed. Given the nature of the type of content that’s downloaded and views via torrents, it’s probably of paramount importance that an IP address is protected. Not that we condone that kind of thing at all, of course.
(Source: Andrew Sampson)