Torrents-Time is an interesting little browser plugin that lets you stream torrents without needing to download a whole separate client. It’s a boon for anyone who needs a simple way to torrent, but as a few people are pointing out, it’s also horribly insecure.
The plugin works with Firefox, Internet Explorer, or Chrome, and the premise is simple: with it installed, navigate to any Pirate Bay torrent page, and you’ll get a link to stream the torrent, rather than just downloading it. Sounds great! But there are a few worries.
A dissection by Andrew Sampson, as well as people on the /r/Piracy subreddit, has thrown up a few worries about how the plugin works. At heart, Torrents-Time is trying to run an entire torrent client in a webpage and using a service, which leads to some “creative” programming, and some serious security flaws.
The most egregious is the abuse of cross-origin resource sharing (CORS), a mechanism that lets one webpage request resources from another webpage. Sampson shows that because of how it’s set up, it proves to be a gaping security hole that could compromise what you download, not to mention your IP address — not good for something used for illegal downloads.
There’s a few other concerns as well: it seems to run persistently in the background on your computer, which could fry battery life and annoy anyone who tries to put their PC to sleep, and Sampson found a CPU bug that is not just annoying, but potentially symptomatic of a more serious coding flaw.
All in all, Torrents Time is a neat plugin, but probably not worth the effort. Legions of much better, more robust and far more secure torrent clients live out there; sacrifice three seconds of convenience, in order to not compromise your entire computing setup. [Andrew Sampson]