Alleged Backdoor Leaking Hashes in BitTorrent Sync; BitTorrent Says There`s no Backdoor

Popular sharing app BitTorrent Sync has been allegedly found to contain a backdoor that was leaking hashes, according to an analysis by Hackito Ergo Sum hackers.

BitTorrent Sync, which has been downloaded some 10 million times, is said to be 16 times faster than its competitors. The researchers at Hackito alleged that the apps’ backdoor was put in after the first release at NSA’s request.

Photo Credit: Hackito Ergo Sum

“This may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers,” Hackito said.

A key finding was a “probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data” and a “leak about the private network addresses of clients that gives indication about where and what to attack.”

“Probable” multiple vulnerabilities were also found during the tests.

BitTorrent replied to the allegations through one of its employees, saying that, besides a few crashes, nothing bad was found during the Hackito tests.

“Wording of `Probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.` is very close to `I almost hacked microsoft today`,” a BitTorrent employee going by the moniker ‘kos13’ concluded.

A more detailed answer was posted on the BitTorrent Forum a few hours later.

“We`ve gone through the claims made on Hackito and after reviewing it in full, we do not feel there is any cause for concern,” said K. Lissounov BitTorrent Sync General Manager.

BitTorrent said the folder hashes are not the folder key, which is secret and can’t be used for obtaining access to a folder, as their purpose is to “discover other peers with the same folder.” Also, hashes (160 bit number) “cannot be guessed” as it is “cryptographically impossible to guess the hash of a specific folder.”

Now the ‘leaking’ hashes appear to go to the peer discovery server which enables “peers to find each other” and is separate from the folder exchange system.

“Compromising the public infrastructure cannot impact the security of Sync,” even if Sync relies on public infrastructure due to its client-side implementation.

BitTorrent Sync`s cryptographic practices have also been reviewed by a third party security firm.