Popcorn time geeft een reactie op de vermeende beveiligingsproblemen

RDJ134 5 augustus 2015 om 00:38 uur

Een kleine 24 uur geleden kon je hier op Eigenwereld.n lezen dat ze populaire Popcorn Time enkele beveiligingsproblemen heeft. Een vriendelijke hacker met de naam DaKnOb had enkele gaten gevonden in de software (even ter duidelijkheid de versie van Popcorntime.io) die door kwaadwillende gebruik konden worden. Nu heeft de maker van deze Popcorn Time fork gereageerd op de problemen en een fix uitgebracht die alles op lost, maar daar kan je meer over lezen in het onderstaande persbericht.




Hello guys,

TorrentFreak released an article this monday about Popcorn Time security issues.

First things first, you don't need to worry. A man-in-the-middle type of attack is very unlikely to happend to anyone: a potential intruder would need to already be present in your network. This means that they would need to have access to your WiFi or your ethernet, or that they are your Internet Access Provider. If someone has access to those, then they could potentially infect your machine through Popcorn Time.

Now, let's talk about the type of attacks that could happen... The article mentions Content Spoofing and XSS.

Content Spoofing basically is useless: worst case scenario, you could download some porn instead of your movie. Not very interesting or beneficial for someone that just went through the troubles of infecting your network, is it?

This leaves XSS attacks. Now, that's another deal. An XSS attack would allow the intruder to execute malicious code inside of Popcorn Time. To be clear: it would not allow to gain full control on the machine, as Popcorn Time doesn't have elevated permissions. Yet, it is a security issue.

What are our plans to fix these issues? We'll release another hotfix shortly (0.3.8-3) to address them.

First, we're going to sanitize all input recieved from a remote machine. This way, even if malicious code gets injected in the response (the list of movies is a response, and so is TV show synopsis information, etcetera), it won't be executed.
Second, we're going to make most requests over a secured HTTP (known as HTTPS) connection. I say most, because some fallbacks for UK users (the "really smart techniques" TorrentFreak refers to) simply don't work with HTTPS.

These vulnerabilities will then belong only to the past. But I repeat: you do not need to worry. Even without any protection, the use of Popcorn Time to infect your machine is very unlikely, as someone who meets the requirements to attack Popcorn Time, has better things to attack. No need to make such a fuss over this.

PS: The Android application isn't affected by this.

Reageer