Privacy Issue with i2psnark DHT: you can crawl the hashtable to find out what people are sharing
Opened 10 months ago
Last modified 10 months ago
#2754newdefect
Privacy Issue with i2psnark DHT: you can crawl the hashtable to find out what people are sharing
Reported by:MichaelPalinOwned by:zzz Priority: minor Milestone: undecided Component: apps/i2psnark Version: 0.9.46 Keywords:
Cc:
Parent Tickets:
Sensitive: no
Description
The i2psnark DHT maps info hashes to the addresses of users sharing the torrent.
This means you can easily survey the network to find out what people are sharing: just setup a node and listen for DHT messages containing info hashes, and then connect to the nodes sharing those hashes and download the torrent meta data (and/or the actual content).
I was able to prove this can be done by running a modified i2psnark Java client. I collected about 18600 torrent descriptions from the DHT before I became bored with the project.
This issue could be avoided by using a hash derived from the info hash as the key in the DHT, rather than the info hash itself. Then an attacker could collect only the derived hashes, which gives him no way to obtain the torrent meta data or content.