Dear JPopSuki,

A serious security vulnerability has been discovered in the built-in Web UI that comes with qBittorrent. This vulnerability affects version 4.5.1 on Windows and may affect older versions on Windows as well. It depends on the Web UI feature of the client being enabled and accessible on the public Internet. It allows a remote user to trivially retrieve any file on the computer on which qBittorrent 4.5.1 (and/or earlier versions) on Windows is running with the Web UI feature enabled. This feature is disabled by default.

A GitHub issue has been filed reporting this problem. It has been fixed at the source and a new version is expected to ship out soon. In the meantime, if you are using qBittorrent 4.5.1 (and/or earlier) on Windows with the Web UI enabled you should either disable this feature or make sure the endpoint (hostort) is properly protected from public Internet access by another mechanism than the built-in authentication.

__________________________________________________

Important General Warning

No web interface or other remote control mechanism devised for any torrent client that exists today is rigorously tested. There simply is not enough time and effort available to secure this aspect of the clients. Torrent client software are already highly susceptible to exploitation through the regular BitTorrent protocol without any such additional venues of access.

If you use any kind of remote control mechanism for your torrent client please make sure public Internet access to this mechanism is gated behind reasonably secure authentication. Never ever rely on the usernameassword authentication that is provided with many of these remote control mechanisms.