Serious Security Problem In Fasttrack Apps

**Colt Seevers** · 05-27-2003, 11:32 PM

Probably old news to alot of you with your finger on the pulse... did i miss this on the forum?? here's what i caught on afterdawn.com

A security researcher, known only by his nickname Random Nut, has found a severe bug in FastTrack P2P protocol that can be used to crash or take control of so-called "supernode" computers in the P2P network. Supernodes are P2P users that have "sufficient resources" to act as supernodes and they hold together "nodes" (normal users), connect to other "supernodes" and deliver the search results within their node networks.
 
  According to Random Nut's comments, he informed Joltid (the American subsdiary of Kazaa BV, Netherlands-based company that owns the FastTrack technology, although not any of the clients, such as Kazaa, anymore) about the bug two weeks ago, but didn't get any reply back. This week he informed kazaa.com about the vulnerability and now at least Sharman Networks, who develops the Kazaa client, has reacted. Sharman has promised to issue a bugfix within next 24 hours.
 
  Other FastTrack-based applications are vulnerable to the bug as well -- these include Kazaa Lite (and all its variations), Grokster and iMesh. Random Nut hasn't disclosed the exploit code: "I don't want some little script-kiddie to close down all of the [FastTrack] network or parts of it".

hmmm, good call RN! "Security Researcher" I like that term.... B)

**loz** · 05-27-2003, 11:39 PM

Just heard that story, here is the story with a little more information.

Full story here

The patch to cover the flaw will be available at www.kazaa.com within the next 24 hours

**random coconut** · 05-28-2003, 01:45 AM

I never told the reporter anything about me and he quotes me as being a security researcher. I can't blame him, he's a reporter after all. Make things up all the time.

**Switeck** · 05-28-2003, 08:22 AM

Originally posted by random coconut@27 May 2003 - 20:45
I never told the reporter anything about me and he quotes me as being a security researcher. I can't blame him, he's a reporter after all. Make things up all the time.

It's easier for them to assume you're a 'security researcher' because of the results of your hacking...
than for them to say 'this was discovered by someone who is out to destroy Kazaa by the creation of Kazaa Lite++'.

The media has a funny way of treating hackers. We're forced to wear many hats because none fit us.

offtopic:
I guess this makes anyone who does searches on Google into family tree information a private investigator.

VB · 05-28-2003, 09:25 AM

random nut said that he may write a patch for Kazaa Lite too in a couple weeks from now.

To exploit this bug you need to have the encryption code of the FastTrack protocol. So not everyone can just use the exploit. I wouldn't worry to much at this point.

**RealitY** · 05-28-2003, 06:18 PM

Originally posted by random coconut@28 May 2003 - 02:45
I never told the reporter anything about me and he quotes me as being a security researcher. I can't blame him, he's a reporter after all. Make things up all the time.

Who are you?