Twitter has published an announcement on its blog where it attributes a recent phishing attack to an unnamed torrent site script. Twitter is blaming a torrent site developer for intentionally installing backdoors into the code he sells to people who want to run a torrent site of their own. The big question is, who is behind this attack?

Twitter alleges that a torrent script developer has installed backdoors into his software, allowing it to gain login credentials of users. These credentials have been abused to boost the follower count of unnamed Twitter accounts.

Below is an excerpt of Twitters blog post revealing the threat.

It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. Additional exploits to gain admin root on forums that weren’t created by this person also appear to have been utilized; in some instances, the exploit involved redirecting attempts to access the forums to another site that would request log-in information. This information was then used to attempt to gain access to third party sites like Twitter.

So, the company blames ‘someone’ of installing backdoors in a torrent site script that was sold to prospective torrent sites operators, something that has apparently gone unnoticed for years. The question that comes to mind immediately is, if this is such a serious and widespread threat, why doesn’t Twitter name the source or at least give some examples of affected sites?

All of the popular public torrent sites are custom built and cannot be the source of the exploit. From the information Twitter has made available it seems they could be blaming a private tracker script for the attack – most private trackers also operate forums which matches Twitter’s description of the sites involved.

There are quite a few private tracker scripts out there and the most established ones, such as TBDev and Gazelle for example, have been examined by untold numbers of experts and come free of charge – any suggestion that they could be involved in underhand activity is unthinkable. But there are also a few scripts that are created by middle-men whose reputations are less-easily tested.

Accusations of including back doors and exploits in tracker code are not new. The owner of Template Shares, a site that sells a heavily modified version of the TBDev BitTorrent tracker script, has been accused by several people of installing backdoors which provide access to the user databases of customers’ sites.

Template Shares is used by hundreds of smaller private BitTorrent trackers.

To warn the public, other online services and the operators of the affected torrent sites, it would be appropriate if Twitter gave out some more information. TorrentFreak will continue to look into this case and will post an update if we find out more.