Popcorn Time Vulnerable to Hack Attacks, Researcher Says

popcorntAlmost 18 months since it burst onto the scene in 2014 and Popcorn Time is still one of the most popular file-sharing applications on the market.

Millions of people use multiple variants of the Netflix-style tool everyday, with ease of use and wide content availability proving a hit with users old and new.

Popcorn Time’s success has also made it a target for anti-piracy companies desperate to shut it down, but today the software finds itself under attack of a different kind.

Antonios Chariton, aka ‘DaKnOb’, describes himself as a Security Engineer & Researcher. Currently in Greece studying for his B.Sc. in Computer Science, Chariton informs TorrentFreak that he’s discovered some serious security vulnerabilities in at least one fork of Popcorn Time.

“There are two reasons that made me look into Popcorn Time. First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time,” Chariton says.

The researcher says that the problems begin with “a really smart” technique that Popcorn Time uses to bypass ISP-level blocking in the UK. By utilizing Cloudflare infrastructure for part of its setup, it’s difficult to block Popcorn Time by DNS without banning the Cloudflare website, Chariton notes.

But cleverness aside, this is where the problems begin.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” Chariton explains.

“The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”

As shown in the image below, Chariton says he was able to perform a “content spoofing” attack, in which he gave the movie Hot Pursuit the title of “Hello World” instead.


The researcher says that while he could’ve changed any other information in the Popcorm Time application, that wouldn’t be “exactly much fun”. So, to get pulses racing, he launched an XSS attack instead.

As shown in the image below, Cross-Site Scripting (XSS) attacks allow for potentially malicious scripts to be injected into other web applications.


“We have injected malicious JavaScript and the client application executed the code. Using this attack we can show fake messages or even do something smarter. Since the application is written in NodeJS, if you find an XSS vulnerability, you are able to control the entire application,” Chariton explains.

“This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

That’s obviously a pretty serious issue but Chariton does have some advice for the developers.

“HTTP is insecure. There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response,” he notes.

“Last but not least, just because something is Open Source doesn’t mean it’s audited and secure. Discovering and exploiting this vulnerability was literally one hour of work, including the time to write all the JavaScript payloads and come up with cool stuff to do,” Chariton concludes.

Making the situation more complex is the number of Popcorn Time forks in circulation. Chariton told us that he carried out his tests on the variant available at PopcornTime.io but it’s certainly possible that the same issues exist elsewhere on lesser-used forks.

That being said, the developers behind the variant available at Popcorn-Time.se inform TorrentFreak that their version isn’t vulnerable to these exploits.

“These security issues don’t refer to Popcorn-time.se since we built Popcorn Time from scratch in C++,” the devs explain.

“We don’t use Node Webkit which is known for having security issues, but chose the longer route of building our platform on our own from the ground up to avoid just these kind of issues.”

Chariton has raised the issue here and it’s currently under discussion.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Source: TorrentFreak

India’s Porn Block Targets Torrent Sites, CollegeHumor and 9Gag

stop-blockedThis weekend millions of Indian Internet users started to notice that their favorite websites were no longer accessible.

On Friday the Government ordered local Internet providers to block access to a list of 857 websites, including many of the top porn sites.

“Your requested URL has been blocked as per the directions received from Department of Telecommunications, Government of India,” was the warning many got to see instead.

The move has sparked outrage among the public, who condemn the Government for censoring the Internet without proper cause. According to the court order the sites are being blocked because they threaten the morality and decency of Indians, which a local official has now confirmed.

“Free and open access to porn websites has been brought under check. We don’t want them to become a social nuisance,” a spokesman at the Department of Telecommunications told Reuters.

The Government order is quite broad, and not just because of the high number of domain names involved. A leaked copy which list all of the affected domains reveals some unsuspected entries.

For example, the list contains two of the largest torrent sites, Kickass.to and H33t.to. The first is now operating under the new Kat.cr domain name and the latter site is down, so the effects of the blockade are minimal.

blockedcollegeWhile blocking these torrent sites may be justified as both sites do link to pornographic content, the same can’t really be said for CollegeHumor and 9Gag, which are also on the blacklist.

The same goes for Liveleak, which has plenty of ‘immoral’ videos but isn’t really known for its vast amounts of porn. Finally, the list also includes nonvegjokes.com, a site specializing in dirty jokes.

The blocking order was issued under Rule 12 of the local Information Technology Rules, which allows the Government to block access to sites that are deemed to violate the integrity or security of India.

The Government still has to justify its blocking request before the end of the month. If those arguments prove insufficient, the court order may be overturned again. In the meantime, the interest in circumvention tools such as VPN services and proxy sites is expected to skyrocket.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Source: TorrentFreak

The Pirate Bay Will Be Blocked in Austria

pirate bayAs the bastion of online piracy, The Pirate Bay has become one of the most censored websites on the Internet in recent years.

Courts all around the world have ordered Internet providers to block subscriber access to the torrent site and the list continues to expand.

The latest blocking order was issued right before the weekend in Austria. Following a complaint from copyright holders the Commercial Court of Vienna ordered local ISP A1 Telekom to block subscribers access to The Pirate Bay.

In addition to the notorious torrent site, the court order also requires the Internet provider to block three other “structurally infringing” sites; Isohunt.to, 1337x.to and h33t.to.

The court allows the ISP to choose how to implement the blockade on a technical level but it is likely to involve DNS-blocking, an IP-address blacklist or a combination of both.

If A1 Telekom chooses a DNS blockade then users can easily circumvent the measures by using a non-ISP DNS server. A combination of a DNS and IP-address block is generally more effective, but with the wide availability of proxy sites and VPN services that’s not airtight either.

Franz Medwenitsch, managing director of the Austrian music industry association IFPI, welcomes the court order and notes that they are happy to assist with the implementation of the blockades.

“For the further development of the online music market it is a very gratifying decision. We call on the Internet providers to work together towards a legally compliant and straightforward implementation of site-blocking,” Medwenitsch says.

The current court order follows hot on the heels of another major blocking case in Austria, which came to an end last month.

After a round of appeals the Supreme Court ordered several leading Austrian ISPs to block the major streaming sites Movie4K.to and Kinox.to. The Court further rules that the Internet providers will have to pay the costs for future blockades.

Given the recent successes, it wouldn’t be a surprise if more blocking requests will follow during the months to come.

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Source: TorrentFreak

Top 10 Most Pirated Movies of The Week – 08/03/15

hotpThis week we have three newcomers in our chart.

Hot Pursuit is the most downloaded movie.

The data for our weekly download chart is estimated by TorrentFreak, and is for informational and educational reference only. All the movies in the list are BD/DVDrips unless stated otherwise.

RSS feed for the weekly movie download chart.

Ranking (last week) Movie IMDb Rating / Trailer
1 (…) Hot Pursuit 4.9 / trailer
2 (2) Furious 7 7.6 / trailer
3 (1) Insurgent 6.6 / trailer
4 (…) Minions (HDTS) 6.7 / trailer
5 (3) Jurassic World (TS/Subbed HDrip) 7.7 / trailer
6 (8) Terminator Genisys (TS) 7.0 / trailer
7 (…) Mission: Impossible – Rogue Nation (HDTS) 8.0 / trailer
8 (5) Ted 2 (Subbed HDrip) 6.9 / trailer
9 (6) Home 6.8 / trailer
10 (7) The Longest Ride 7.1 / trailer

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Source: TorrentFreak

Copying And Sharing Was Always A Natural Right; Restricting Copying Never Was

sharing-caringPolitical scientists have this concept called “natural rights”. It’s a right you have innately, even if there is no law enforcement or indeed any government. Such rights include the right to think freely, the right to use your senses, the right to speak your mind, and the right to hold property (starting with your own body).

In contrast, laws that restrict such rights cannot exist without a government to enforce such laws. This is crucial to understanding what can be considered a starting point for society; if you have a blank slate, what laws and rights exist before you’ve put the first ink to paper.

The copyright industry tries repeatedly to portray itself as in the moral right from a high horse, when advocating restrictions to copying and sharing. That’s not just wrong, it’s also blatantly dishonest and false, and knowingly so. The copyright monopoly is a protectionist mechanism, a remnant from before the free-enterprise reform of the mid-1800s, that has no place in a society built on creativity and innovation. The monopoly is not just destructive and wrong, but also draconian and arbitrary.

Let’s examine how natural rights come into play when sharing knowledge and culture.

To create a bitstream of a file, say Gameofthrones.s05e10.1080p.WOOT.mkv, we observe that this file exists somewhere. We use our own senses, and technology extensions to our own senses using our own property (a computer, a router, network cables, etc.), to observe the existence of this stream, and the bitpattern that makes up particular stream. After observing what the bitpattern looks like, we rearrange our own property – magnetic fields on our hard drive – to match what we are observing with our senses.

From a natural rights perspective, this is identical to a painter using their property – paint, brushes, bristles – to record onto a canvas what they’re seeing with their eyes. It’s not just perfectly fine, it’s completely expected behavior.

Now, it may be that exercising natural rights in this case interferes with dreamed-up business models by the copyright industry. But natural rights don’t take a back seat to somebody’s imaginary right to profit. They’re on a different level altogether. While there are laws that limit natural rights, they are generally seen as hideously immoral and to be practiced with enormous restraint.

However, the conclusion here is that copying is the natural state, a mere exercise of natural rights, and restriction of such copying is an arbitrary and draconian intrusion into natural rights, an anachronistic remnant from the pre-free-enterprise era which has no place in the age of the Internet.

Finally, I said that the copyright industry is “knowingly” deceptive on this point. By that, I am referring to the fact that they keep reiterating that people who are exercising their natural rights are “stealing”, despite the U.S. Supreme Court clearly having ruled the opposite, which they are well aware of, and also that the copyright industry has been explicitly banned by court from using such deceptive and disingenuous language.

About The Author

Rick Falkvinge is a regular columnist on TorrentFreak, sharing his thoughts every other week. He is the founder of the Swedish and first Pirate Party, a whisky aficionado, and a low-altitude motorcycle pilot. His blog at falkvinge.net focuses on information policy.

Book Falkvinge as speaker?

Source: TorrentFreak, for the latest info on copyright, file-sharing, torrent sites and the best VPN services.

Source: TorrentFreak