qBittorrent fixes flaw exposing users to MitM attacks for 14 years

qBittorrent has addressed a remote code execution flaw caused by the failure to validate SSL/TLS certificates in the application's DownloadManager, a component that manages downloads throughout the app.

The flaw, introduced in a commit on April 6, 2010, was eventually fixed in the latest release, version 5.0.1, on October 28, 2024, more than 14 years later.

qBittorrent is a free, open-source client for downloading and sharing files over the BitTorrent protocol. Its cross-platform nature, IP filtering, integrated search engine, RSS feed support, and modern Qt-based interface have made it particularly popular.

However, as security researcher Sharp Security highlighted in a blog post, the team fixed a notable flaw without adequately informing the users about it and without assigning a CVE to the problem.

One problem, multiple risks

The core issue is that since 2010, qBittorrent accepted any certificate, including forged/illegitimate, enabling attackers in a man-in-the-middle position to modify network traffic.

"In qBittorrent, the DownloadManager class has ignored every SSL certificate validation error that has ever happened, on every platform, for 14 years and 6 months since April 6 2010 with commit 9824d86," explains the security researcher.

"The default behaviour changed to verifying on October 12 2024 with commit 3d9e971. The first patched release is version 5.0.1, released 2 days ago.

SSL certificates help ensure that users connect securely to legitimate servers by verifying that the server's certificate is authentic and trusted by a Certificate Authority (CA).

When this validation is skipped, any server pretending to be the legitimate one can intercept, modify, or insert data in the data stream, and qBittorrent would trust this data.

Sharp Security highlights four main risks that arise from this issue: 

When Python is unavailable on Windows, qBittorrent prompts the user to install it via a hardcoded URL pointing to a Python executable. Due to the lack of certificate validation, an attacker intercepting the request can replace the URL's response with a malicious Python installer that can perform RCE. qBittorrent checks for updates by fetching an XML feed from a hardcoded URL then parses the feed for a new version's download link. Lacking SSL validation, an attacker could substitute a malicious update link in the feed, prompting the user to download malicious payloads. qBittorrent's DownloadManager is also used for RSS feeds, enabling attackers to intercept and modify the RSS feed content and inject malicious URLs posing as safe torrent links. qBittorrent automatically downloads a compressed GeoIP database from a hardcoded URL and decompresses it, allowing the exploitation of potential memory overflow bugs via files fetched from a spoofed server.

The researcher comments that MitM attacks are often seen as unlikely, but they could be more common in surveillance-heavy regions.

The latest version of qBittorrent, 5.0.1, has addressed the above risks, so users are recommended to upgrade as soon as possible.