A group of security enthusiasts performed a security audit on BitTorrent Sync and discovered multiple vulnerabilities, several being marked by them as presenting a high risk.

BitTorrent Sync is a file sharing application intended for peer-to-peer synchronization of data between two or multiple devices in a secure manner. The utility is available for both desktop (Windows, Mac, Linux) and mobile platforms (Android, iOS, Windows Phone).

Secret key hashes leaked to sharing server

The file exchange is based on secret keys (AES-128) derived from input from the user or generated randomly; they are shared by the sender with the recipient and the synchronization is carried out directly between the users, without the need of a server, as is the model followed by cloud services.

The group of security researchers, organized a Hackito Session (name derived from the Hackito Ergo Sum security conference) and took aim at BitTorrent synchronization platform.

A total of seven high severity issues were found during the unofficial audit. According to the researchers, one of them was referring to the fact that the server (getsync.com) intermediating the sharing between the clients received hashes of the shared folder in plain text.

Although hashing algorithms are intended as a one-way function that cannot revert the output to the original input, dictionary-based attacks can decode it. Trying multiple input variants and checking their hash against the original one could reveal the secret; of course, knowing the algorithm is a must.

Additional high severity weaknesses discovered during the audit touched on the web-based administration panel in the Linux client: traffic was not encrypted, session cookies were accessible from JavaScript, possibility of cross-site scripting (XSS) on the log-in page, click-jacking risk, and the possibility to inject iframes in the interface.

Government involvement suspected

One of the conclusions of the group is that there is the possibility of leaking all hashes to getsync.com and for BitTorrent to access all shared data.

Since a change in the way sharing is carried out occurred after the first release of Sync, the group suspects that some of the vulnerabilities discovered “may be the result of NSLs (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers.”

The final conclusion is that despite all convenience, the platform should not be used for exchanging sensitive information.

BitTorrent has not issued a statement about these problems, but the security group has said that the company is preparing a thorough answer.

[UPDATE, November 19]: BitTorrent responded to the insecurity claims regarding Sync and explained the security behind the application. The company also detailed the purpose of the tracking server and how secret keys are exchanged.