
Transmission – BitTorrent users beware: Flaw lets hackers control your computer - pjl
https://arstechnica.com/information-technology/2018/01/bittorrent-users-beware-flaw-lets-hackers-control-your-computer/
======
ekimekim
This is ridiculous. Not that I'm defending Transmission on their slowness
here, but this is fundamentally a chrome issue. _Websites being able to access
services running on localhost is a security vulnerability_ , a sandbox escape.
People assume restricting incoming connections to localhost means that only
localhost can connect, because that is exactly what that is MEANT to do. I
don't think it's reasonable for every service in the world to now assume the
loopback interface is hostile because browsers can't get their act together.

~~~
tinus_hn
True, but the DNS rebinding attack is real and invalidates a lot of
assumptions.

~~~
ekimekim
Then shouldn't it be fixed? Again, this is a chrome bug.

~~~
tinus_hn
It would be shortsighted to simply call this a Chrome bug.

You can use this attack to make the browser communicate with somebody else’s
computer. If that computer happens to give the user privileges because of his
IP address, for instance because he is in the same home or because he is on
localhost, the attacker can then use these privileges.

One could imagine Chrome blocking this attack with respect to localhost but
blocking connections to machines on the home network is farfetched.

And note that it’s not just web services, the browser can start general tcp
connections.

------
upofadown
Isn't there just the one flaw here? That random websites can make connections
to localhost through a browser? Are we now going to enumerate every possible
thing that accepts connections on localhost without authentication?

>"I regularly encounter users who don't accept that websites can access
services on localhost or their intranet,"

That seems to be a very reasonable thing to not accept...

~~~
scrollaway
Hard to call it a flaw... it's definitely problematic, but it's seen
legitimate uses in many web apps (Spotify, Discord to think of two) as a way
to communicate with their own desktop client from the web.

The other related issue is that communicating with localhost over https is
very hard for an app. I wonder if there is a potential way to kill two birds
with one stone here with some browser changes.

------
meesterdude
> I regularly encounter users who don't accept that websites can access
> services on localhost or their intranet," Ormandy wrote. "These users
> understand that services bound to localhost are only accessible to software
> running on the local machine and that their browser is running on the local
> machine—but somehow believe that accessing a website 'transfers' execution
> somewhere else. It doesn't work like that, but this is a common source of
> confusion."

does this mean a malicious site can query data from a running service, such as
local MySQL? If so, isn't that a big deal? I know lots of places that run
things open locally because they're behind a firewall.

~~~
sannee
As MySQL uses a custom binary protocol, it should be fine. On the other hand,
anything using a line-based protocol is in danger.

[https://bouk.co/blog/hacking-developers/](https://bouk.co/blog/hacking-
developers/)

So, if you have, say, telnet bound to localhost without a password, you are
not safe (modern browser would drop the response as it's not valid HTTP, but
with telnet you don't exactly care anyway).

------
yborg
Google Project Zero-discovered flaw allows remote execution by malicious site
if remote access in enabled in the client with no password set. This is not
uncommon since people assume restricting to localhost will prevent access
outside the host machine.

------
ryanpepper
Pretty similar to what happened with the Jupyter Notebook last year.

[https://github.com/jupyter/notebook/issues/2254](https://github.com/jupyter/notebook/issues/2254)

