According to the reports from Ars Technica, Hackers can exploit this vulnerability to execute malicious code on user’s computer. The previous week, Google’s Project Zero team shared the proof-of-concept attack code. Google’s Project Zero team usually forbears itself from making the details of any existing vulnerability to the public for 90 days. However, in this case, the vulnerability was made public within 40 days. This is because the report also contained a patch, but Transmission developers haven’t responded on their private security mailing list.
— Tavis Ormandy (@taviso) January 11, 2019 So, after the public release, the downstream projects using the Transmission project would be able to apply the patch. Well, the flaw found on BitTorrent app uses domain name system rebinding to control the Transmission interface whenever victim visits a malicious website. Hackers after gaining control over the Transmission interface just needs to change the torrent download directory to home and download a torrent file named .bashrc. With this hacker can configure Transmission to run any command after the download has completed. It’s worth to note that the Transmission developers have also claimed to release the fix as soon as possible. However, the developer team hasn’t shared any specific date. So, to be on the safe side, you must minimize the use of torrent sites until the fix is being released. What’s your take on this? Discuss with us in the comments.
