Possible security compromise!

Issue #131 closed
karappo-kun created an issue

// UPDATE from SP //

We now scan .torrent files (where possible) for bad extensions and purge any such torrents from the system. Bad extensions include but are not limited to exe, bat, com, reg, etc.

Important to note that this is not 100% gauranteed. If SP can't download the torrent file itself then it can't verify it and instead redirects the user to the torrent directly (bypassing SP's server). This is also true if the torrent file can't be decoded for some reason. It will keep trying to verify it each time someone tries to download the torrent which means that in most cases any bad files should be caught immediately or very quickly.

// END UPDATE //

On August 20, 2017 at around 2:10 - 2:30 AM UTC, a new torrent file [HorribleSubs] Princess Principal - 07 [720p] .mkv arrived on my RSS feed. My torrent client proceeded to download it as usual but something weird happened after the download. Something inside the torrent triggered my antimalware scanners so I went to investigate.

I found out that:

  1. The '.torrent' file's binary content seems different from previous releases.
  2. HorribleSubs is yet to release torrents for episode 7 and that no such thing appears on their site or in Nyaa.si (as of the time writing this).

22.PNG 11.PNG

Attached with this post contains the torrent files for this episode and the previous ones for comparison.

TL;DR [HorribleSubs] Princess Principal - 07 [720p] .mkv.torrent might have been compromised.

EDIT: Went to Anidex and found out the person/account who might have uploaded this torrent. Whoever did this is an asshole for sure. aaa.PNG

Comments (7)

  1. karappo-kun reporter

    Issue Closed because the malicious torrent has already been taken down (as of Aug 20 3:24 PM UTC). I won't be using Shana Project rss service anymore after seeing that it sources its torrents from Anidex, and that anyone with malicious intent can upload a fake HS release and Shana Project happily grabs those torrents without verifying is authenticity.

    I am advising anyone with security concerns to stay away from Shana Project until the issue torrent authenticity is resolved.

  2. Shana Project repo owner

    Unfortunately this is "by design".

    Shana Project sources its torrents automatically from other indexes (Tokyo Tosho) that are submitted by users. The reality here is that its possible for malicious users to upload fake copies of popular torrents that will automatically download to peoples computers.

    With any torrent you download (manually or automated), you should always check the contents before running any binaries. I'm not convinced SP automatically downloading the file is any worse than someone clicking on the file on Tokyo Tosho and downloading it only to find its a binary as well.

    In any case - we're gonna have a look and see if we can make some improvements to minimise the possibility of this happening in future.

  3. Shana Project repo owner

    We now scan .torrent files (where possible) for bad extensions and purge any such torrents from the system. Bad extensions include but are not limited to exe, bat, com, reg, etc.

    Important to note that this is not 100% gauranteed. If SP can't download the torrent file itself then it can't verify it and instead redirects the user to the torrent directly (bypassing SP's server). This is also true if the torrent file can't be decoded for some reason. It will keep trying to verify it each time someone tries to download the torrent which means that in most cases any bad files should be caught immediately or very quickly.

  4. Log in to comment