None of these are major (private) torrent sites, torrentfreak is just hyping up bullshit as usual.
Just looking at the filenames makes it obvious that these can’t be from any major private tracker, there’s no way BTN or the likes would accept these files.
I think people are not understanding this story. This is a story about trackers who share content between them, not about users. The semi-open management panels expose networks of people who are working with each other to do something that is legally frowned upon.
> Another screenshot featuring a torrent related to a 2022 movie reveals the URL of yet another third-party supplier tracker. Some basic queries on that URL lead to even more torrent sites. And from there, more, and more, and more – revealing torrent passkeys for every single one on the way.
What is this torrent passkey used for? My understanding is that torrent trackers were all about sharing peers. You want tracker info to spread. I'm not understanding what this vulnerability exposes.
Edit: It looks like it's actually explained earlier:
> One begins with a GET request to another tracker, which responds with a torrent file. It’s then uploaded to the requesting site which updates its SQL database accordingly.
> From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that’s only useful when nobody knows what it is.
> The same security hole also grants direct access to one of the sites tracker ‘bots’ through the panel that controls it.
So I think the issue is that keys to authorize control of the automated software to propagate tracker info is being leaked. It sounds like the end result is someone can write spoofed or spam info into torrent trackers.
Some torrent sites have ratios, eg you must upload as much as you download. The passkey allows the tracker to keep track of what you've uploaded and downloaded for your ratio.
These torrents also have peer discovery and DHT disabled on private trackers.
Somehow soothing to know that organizations small and large, legal and illegal, all suffer from something getting in the way of vital security information reaching those who would act on it.
Why would ISPs bother to serve torrents and join pools to get IPs that way when they can just use this method? I wonder how long this has been a possibility... ugh
Just go to https://iknowwhatyoudownload.com/en/peer/ and put anyones IP in, depending on how static it is, it will provide at least accurate recent data on public trackers.
That networks of trackers and their operations are being exposed in realtime. This isn't a security issue for tracker users, it's a security issue for the trackers themselves. It's very very bad, I don't know why people are making light of it. Also, the trackers have reacted and are fixing their management panel configs as we comment, so the story is accomplishing something.
Readit News
Just looking at the filenames makes it obvious that these can’t be from any major private tracker, there’s no way BTN or the likes would accept these files.
Deleted Comment
What is this torrent passkey used for? My understanding is that torrent trackers were all about sharing peers. You want tracker info to spread. I'm not understanding what this vulnerability exposes.
Edit: It looks like it's actually explained earlier:
> One begins with a GET request to another tracker, which responds with a torrent file. It’s then uploaded to the requesting site which updates its SQL database accordingly.
> From there the script starts checking for any new entries on a specific RSS feed which is hidden away on another site that has nothing to do with torrents. The feed is protected with a passkey but that’s only useful when nobody knows what it is.
> The same security hole also grants direct access to one of the sites tracker ‘bots’ through the panel that controls it.
So I think the issue is that keys to authorize control of the automated software to propagate tracker info is being leaked. It sounds like the end result is someone can write spoofed or spam info into torrent trackers.
These torrents also have peer discovery and DHT disabled on private trackers.
So again I ask: What is the problem? The article does a fucking terrible job explaining what the problem is.
All I can take away is that public information is being passed around in public. That is a problem how?