P2P file-sharing software poses a massive security risk, researchers have warned.
One plug-in designer for the hugely popular eDonkey program (two million clients and counting) has revealed that a simple plug-in can provide unlimited disk and sockets access, the ability to run programs on the local machine and an opportunity to spread that code through a network. In short, the quintessential security nightmare.
Describing the architecture (MetaMachine - used by eDonkey and Overnet) as "by far the worst and most insecure I have ever seen in my life", Julian Ashton has posted his concerns on BugTraq and warned that it would only require a malicious plug-in for millions of P2P clients to turn either against the user or be used to target someone else, possibly in a DDoS attack.
The problem is that such plug-ins are not tied in with the software itself but allowed to sit with the operating system, meaning that P2P software could be used as a portal to gain access to people's PCs. The possibilities to use this for virus or worm propagation, or spamming, or as a hacking effort are all too clear.
Ashton has even written a small add-in to demonstrate the problem, downloadable from his site. A zip of "Fake Fast Track" is available here.
While many companies either block or ban P2P software on their networks both for security and legal reasons, the fact that a relatively lightly skilled programmer could use such a client to compromise security will worry many.
Even if one network's threat is dealt with, the millions of clients out there can still represent a massive virus or DoS risk. If the P2P clients using MetaMachine want to remain popular, an update to the software is sorely needed.
You can read Ashton's observations on BugTraq here.