A Google security researcher has discovered a bug in uTorrent that can let a hacker hijack the software application to deliver malware.
The problem primarily impacts uTorrent Web, the newer version of the popular BitTorrent client, which includes a major remote code execution bug, according to Google researcher Tavis Ormandy.
He found a flaw in the way uTorrent communicates information and stores an authentication token. A website loaded over an internet browser might be rigged to steal the token, and gain total control over the uTorrent service. "As soon as you have the secret, you can simply change the directory torrents are saved to, and after that download any file anywhere," he wrote in report about the bug.
It does not help that by default uTorrent Web is set up to automatically run on start-up. With control over the client, a web page's owner might direct the software application to download a piece of malware. The malware can then be delivered into a Windows PC's start-up folder, which will load the program on the next boot up. All that's needed is to trick a victim into visiting the malicious site.
On Tuesday, BitTorrent released an update to uTorrent Web that patches the problem. It's available in build 0.12.0.502, which can be downloaded through the official uTorrent site or through the application itself.