Computer takeover via cross site request forgery
<IMG> tags, access other websites. The malicious site can then make configuration changes using the access rights of the victim.
In the past, CSRF attacks have been used to change a user's router configuration to make it use a manipulated DNS server. However, the hole that Carter found allows a trojan to be installed directly onto the victim's computer.
Carter's attack is performed in several stages. The first link changes the configuration of µTorrent, causing it to move completed downloads to an alternative directory:
Then it changes the path to which completed downloads are moved:
That moves downloaded files into the autostart folder for every user on the system. Now the attacker can use a third link to initiate download of a Trojan, which is executed once the computer is restarted and a user logs in:
Countermeasures against such a CSRF attack could include requiring a password every time configuration changes are made or using a session ID, which must not however be stored in a cookie.
µTorrent web UI plug-in users should, at the very least, change the standard port that the interface listens on. They should also immediately log out of the interface following any changes to it. The safest course is simply not to use the plug-in at all until the developers offer a patched version of it for download.