When files are downloaded via the Torrent Viewer, a local web service is spun up that allows the user to download the files. This web service listens on all interfaces, allowing anyone in the network to view what files are being downloaded, and download them from the user. This mostly affects the privacy of the user.
- This issue was tested on the Brave browser on OSX, using version 0.19.122. Full specs:
Update Channel Release
OS Platform macOS
OS Release 17.2.0
OS Architecture x64
Steps To Reproduce:
- Disable local firewall if set to block all external connections
- Load a torrent in the Brave browser, for example:
- Click on "Start download"
- Either hover over the "Save file" button to see the port to the web service (button_link.png), or perform an external portscan.
- Use different device to connect to the port.
- See what the user is downloading (see Open torrent webservice.png)
Note that the port changes every time a download is started, but an attacker can simple perform a portscan to find this port.
- I've included two screenshots that show the port (button_click.png) and me viewing downloaded files from a VM (Open torrent webservice.png). This issue has also been tested from a phone instead of the VM, to ensure that it wasn't just my vmnet being viewed as a local address.
If an 'attacker' (or any privacy-snooping agent) is on the same network as the user, it's possible to list all files that are currently downloaded. It's also possible to download these files from the user.
This vulnerability does not affect users that have their firewall set to block all incoming connections.