Dedicated WebUI malware

[jbarthelmes]

Hi, I just observed a botnet infecting an unsecured WebUI (admin:adminadmin, as is default) with a trojan. It seems to be tailored to the official qBittorent WebUI other torrent clients (rutorrent) as well. I wrote down my findings here. In summary the botnet brute forces admin passwords, then torrents the trojan and runs it via "run on download completion" of another file.

I think one of these changes is necessary to save users who unintentionally opened port 8080 (like me) from harm:

1. improved authentication by default, at least initialize with a random password
2. remove "run on download completion" from WebUI

[Xeddius]

I don't think removing "run on download completion" is a good change, I use that feature often to update my library, I think forcing users to actually pick a password instead of letting them run with defaults is what needs to be changed. Inevitably the issue lies with the users, if you get robbed it's not the lock company's fault that you left your door unlocked, it IS their fault if their locks are poorly made.

So in this case I think we need to force users to actually pick a secure password before they can enable webui.
Enabling "run on download completion" should have an option for password security (with a diff key than for webui) which is recommended to the user before they proceed.

"Hi, I just observed a botnet infecting an unsecured WebUI" I don't know what you expected to happen, but I'm hopeful that you've at least learned from the experience and use proper security practices in the future. I made the mistake of hosting my first website on my home machine, lost a lot of family photos and home videos. It's never easy, but I do think they could at least add a disclaimer for the uninformed.

Not to be rude but...

Please have some sense in the future.

[ArcticGems]

As mentioned previously:

Random password might confuse some users, so it would be better if when users enable WebUI in qBittorrent options, they get a prompt telling them to change the password into a secure/complex password.

An alternative to removing "run on download completion" from WebUI, could be to give it's own separate secure/complex password.

[RedTedRedemption]

my suggestion would be requiring the password be changed from the default after first login.

psuedocode:

load_torrents_list_page(); #after login complete
if (password.hash = "adminadmin".hash) {
spawn_modal("change your password "); #include change password fields and FORCE the user to do this
}

[jbarthelmes]

@Xeddius

if you get robbed it's not the lock company's fault that you left your door unlocked, it IS their fault if their locks are poorly made.

It is also the lock company's fault if they give everyone the same lock by default.

Not to be rude but...

Don't call other people "stupid tard" if you don't want to be rude.

run qBittorrent as root

Never said that and it's not necessary for the malware to function either.

adminadmin is very secure

Never said that.

Please have some sense in the future.

You too thanks.

[Xeddius]

@ArcticGems

Random password might confuse some users

It's 2020, if they can't remember/manage their passwords do they really have any business using it?
Plain and simple, defaults need to be removed, users need to be forced to input a password or this kind of thing is going to get worse.

...give it's own separate secure/complex password.

This is a very good idea.

@jbarthelmes

It is also the lock company's fault if they give everyone the same lock by default.

The difference is you could clearly see 👀 it was default and decided to leave it that way.
Like someone buying said locks KNOWING that everyone has the key and still installing them anyway. 🔓 🤷‍♂️

I agree that security features need to be improved simply because there are people like you who still need plastic safety plugs in wall outlets. 👶

[FranciscoPombal]

I don't think removing the "run on completion" feature is reasonable. That's the wrong solution to the problem, which is largely on the users' side.

qbittorrent-nox warns if using the default adminadmin is used:

qBittorrent/src/app/application.cpp

Line 627 in e15df81

if (pref->getWebUIPassword() == "ARQ77eY1NUZaQsuDHbIMCA==:0WMRkYTUWVT9wVvdDtHAjU9b3b7uB8NR1Gur2hmQCvCDpm39Q+PsJRJPaCU51dEiz+dTzh8qbPsL8WkFljQYFQ==")

. If they are too stupid/reckless to not change it, that's not our problem.

Initializing with a random password seems like a good idea though, as an additional safety net.

[sledgehammer999]

I am no user of the webui nor a webui developer but here are my 2 cents: IMO, the most appropriate action is probably to force the user on a password change on login and on the localhost. This has the advantage of working transparently for nox users too. Until the default is changed the server will not respond to any other api call or any other interface apart from localhost.

Initializing from a random password probably will create headaches for both UI and nox users. They will not be able to understand why they can't connect. And for nox users it will not be easy to manually change the password.

[ghost]

So any user that had enabled WebUI from qBt settings for say "testing" purpose and forgot to change the PW is vulnerable! That's alarming!

[sledgehammer999]

Addressed with #19777