A BitTorrent Client WebUI Shouldn’t Be Shared With The Entire Internet


While it's nice to share a bottle of fine wine over a tasty meal with a loved one, some things are best unshared. Take torrent client web interfaces, for example. They can be convenient and in some cases look very nice but with no security, every download has a global audience, including new torrent transfers added by passing strangers.

The word ‘open’ in a connected world can be something positive. Open source, for example, or open library. On other occasions the opposite can be true; unnecessary ports left open on a router springs to mind.

For millions of people using devices that appear to configure themselves, whether something is open or closed is irrelevant. If a device immediately works as promised, oftentimes that’s good enough. The problem with some internet-connected devices is that in order to immediately work in the hands of a novice, security gives way to ease of use, and that can end in disaster.

Torrent Client WebUI

Many of today’s torrent clients can be operated via a web interface, commonly known as a WebUI. A typical WebUI is accessed via a web browser, with the client’s IP address and a specified port number providing remote access.

In a LAN environment (the part of a network behind the router, such as a home) the torrent client’s web interface serves local users, i.e those with direct access to the local network, typically via Wifi. The problems begin when a torrent client’s WebUI is exposed to the wider internet. In broad terms, instead of the client being restricted to IP addresses reserved for local uses (starting or, anyone with a web browser anywhere in the world can access the UI too.

In many cases, a WebUI can be secured with a password or by other means but when users are allowed to do that themselves, many never do, despite the warnings. That could end in disaster if the wrong person decides to let rip from the other side of the world.

Specialized Search Engines

Internet-connected devices are easily found using services such as Shodan, Censys, Fofa and Onyphe.io and those that are poorly configured are in plentiful supply.

The image above shows a WebUI for the Tixati torrent client. With zero security, everything is on full display, just as it is for the person who operates the client, whoever they might be. This means that all downloads and uploads can be browsed, including data related to those transfers, as seen below.