![]() ![]() RFC1918 IP leaks of all local interfaces of BTsync sharer Once the peer is approved for Read Access is automatically approved for READ-WRITE access as well (provided the peer knows the key) no filter of RFC1918 peer addresses means you can make anyone connect to IPs inside his network if the guy is on a IPS-protected LAN, make him connect to 2000 IPs and port and he’ll get parked to a “DECONTAMINATE” VLAN. ![]() confirmed:: t. server logs - gets all IPs that create shared folders, even before they are used Leak of IPs to relay/tracker during initial JSON pull (Renaud: Not CNIL compliant) Tracker server gets hashes of new folder? confirmed: When registering, http traffic for creating new user on loopback CSRF / local change password without old password?.Peer invite must be approved on this device.Attack surface & Potential attack vectors This is used to share the hashes to another person.ģ. !LA51GRoY!Al3XQZw8FVQyn2Yoa4aTed6M6PV7GeZQrUHJIfJeRjs SyncThing sharing model is unnatural even though its opensource nature make it preferrable to BTsync.Ĭlosed source client, uses multiple hashes for sharing Read or Read/Write access to a shared directory.This is a quick response to some critics on this Hackito Session results, this is not a commercial report □ Why? Because BitTorrent Sync growing popularity means more and more private data gets exposed, and as it is a closed source program, there’s a need for some verified and neutral information about its intrinsic security and also about the degree of privacy it provides.Ĭomment: This is not a professional assessment but a community effort to analyze a solution used by the public. The goal of this Hackito Session was to analyze the security of BTsync. During last Hackito Session, a group of passionate tech gathered and during one evening dug whatever they could on BTsync.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |