BitTorrentsync security & privacy analysis

TL;DR & Conclusions

  • Probable leak of all hashes to getsync.com and access for BitTorrent Inc to all shared data.
  • Change of sharing paradigm that introduced this vulnerability happened after the first releases. This may be the result of NSL (National Security Letters, from US Government to businesses to pressure them in giving out the keys or introducing vulnerabilities to compromise previously secure systems) that could have been received by BitTorrent Inc and/or developers.
  • Leak about the private network addresses of clients that gives indication about where and what to attack.
  • Probable multiple vulnerabilities of the clients.
  • Bottom line: Do not use for sensitive data.

http://2014.hackitoergosum.org/bittorrentsync-security-privacy-analysis-hackito-session-results/