Newswise — A Cornell University research group has discovered serious vulnerabilities in a widely-used peer-to-peer filesharing program. The weakness in LimeWire, a popular client for the Gnutella filesharing network, would allow an intruder to read any file on a computer running the program, including confidential information such as internal documents, sensitive information and some password files. The problem occurs in both the free and paid versions of the program, in all operating systems for which it is available.
As soon as his group noticed the problem, Emin Gun Sirer, Cornell assistant professor of computer science, immediately notified Lime Wire LLC, the company that distributes the software. "Lime Wire responded immediately and had a patch ready within a few hours," Sirer reported, adding that the company needed several days to get the patches out to all of the 36 million people who had downloaded the program. LimeWire automatically posts a notice of the need to install a patch when it is turned on. Patches are available for all versions of the program except those that run on classic versions of the Mac OS, and the company is working on that, Sirer said.
The most serious vulnerability affects LimeWire versions 4.1.2 - 4.4.5. It enables intruders to connect to a computer even through a firewall. A second vulnerability affects versions 3.9.6 - 4.6.0, but can be stopped by a firewall. The latest, corrected version of the program is version 4.8.0; on the Mac platform, the latest corrected version is 4.0.10.
Both vulnerabilities can be exploited without any special tools, Sirer said, through an ordinary telnet login. Like other Gnutella clients, the LimeWire program is designed to allow users to download music and video files shared through the Gnutella network, and also to allow the user to provide shared files to others. The glitch in the program unfortunately allowed remote users to retrieve other files, not just those in the user's sharing folder.
Sirer is a specialist in peer-to-peer systems. He and his graduate student Kevin Walsh discovered the LimeWire problem while working on a new application, called Credence, that is intended to work with LimeWire to give users a way to determine how trustworthy data on the network may be.
"Much of the content in peer-to-peer filesharing networks is corrupt, damaged, or mislabeled. Such polluted content makes it difficult for correctly functioning peers to locate desired content," Sirer explains. Credence allows users to share ratings of objects, similar to the ratings on Amazon, but with features that discourage dishonest ratings. The idea has applications to many other types of peer-to-peer networks, such as those in which distributed workers collaborate. "As systems scale bigger and there is more collaboration on the net, we are going to need systems for evaluating the statements made by peers," he explained. "We are just computing the likelihood that what you say is true."
Related World Wide Web sites: The following sites provide additional information on this news release. Some might not be part of the Cornell University community, and Cornell has no control over their content or availability.
Credence: http://www.cs.cornell.edu/People/egs/credence/
LimeWire: http://www.limewire.com/english/content/home.shtml