A serious security flaw in BitTorrent Sync can be exploited by a remote attacker to execute arbitrary code, according to an advisory published by HP’s Zero Day Initiative .
The severity of the vulnerability has been rated as “high,” with a CVSS score of 7.5. However, arbitrary code can be executed on vulnerable systems only if the attacker can trick the victim into visiting a malicious page or opening a specially crafted file.
“The vulnerability relates to how BitTorrent Sync handles URLs with the btsync protocol. By navigating the user to a specially formed link starting with btsync:, an attacker can inject arbitrary command line parameters that will be passed to BTSync.exe. An attacker can leverage this vulnerability to execute code under the context of the current user,” ZDI wrote in its advisory.
BitTorrent told SecurityWeek that security is a top priority for the company and that the vulnerability was addressed shortly after it was reported in November.