[SBD]

Thousands of private BitTorrent trackers using the popular TBDev code are vulnerable to hostile takeover. According to a security researcher, a successful execution of the exploit could result in the attacker gaining admin rights to the tracker. However, knowledge and a little care can mitigate the effects.

The popular TBDev code on which thousands of private BitTorrent trackers are built, is said to be vulnerable to a major exploit. A successful attack could allow a malicious attacker to deface the main tracker page (index.php) and hijack the account of anyone who logs into the application. Worryingly it’s even possible to hijack an administrator’s account by using a social engineering attack to get them to click on specially crafted hyperlink, although most admins won’t be tricked by this method.

According to Michael Brooks, a security researcher who brought this issue to our attention, this particular TBDev exploit is down to the fact the developers didn’t protect the administrative interface from Cross Site Scripting attacks (XSS)

<edit Rob: excessive quote deleted - link to original now provided in post #3 below>