Maybe You Shouldn’t Stream Torrents In Your Browser

Maybe You Shouldn’t Stream Torrents In Your Browser
To sign up for our daily newsletter covering the latest news, features and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Gizmodo Australia homepage to visit whenever you need a news fix.

Torrents-Time is an interesting little browser plugin that lets you stream torrents without needing to download a whole separate client. It’s a boon for anyone who needs a simple way to torrent, but as a few people are pointing out, it’s also horribly insecure.

The plugin works with Firefox, Internet Explorer or Chrome, and the premise is simple: with it installed, navigate to any Pirate Bay torrent page, and you’ll get a link to stream the torrent, rather than just downloading it. Sounds great! But there are a few worries.

A dissection by Andrew Sampson, as well as people on the /r/Piracy subreddit, has thrown up a few worries about how the plugin works. At heart, Torrents-Time is trying to run an entire torrent client in a webpage and using a service, which leads to some “creative” programming, and some serious security flaws.

The most egregious is the abuse of cross-origin resource sharing (CORS), a mechanism that lets one webpage request resources from another webpage. Sampson shows that because of how it’s set up, it proves to be a gaping security hole that could compromise what you download, not to mention your real IP address.

There’s a few other concerns as well: it seems to run persistently in the background on your computer, which could fry battery life and annoy anyone who tries to put their PC to sleep, and Sampson found a CPU bug that is not just annoying, but potentially symptomatic of a more serious coding flaw.

All in all, Torrents Time is a neat plugin, but probably not worth the effort. Legions of much better, more robust and far more secure torrent clients live out there; sacrifice three seconds of convenience, in order to not compromise your entire computing setup.

[Andrew Sampson]