Last week, The Pirate Bay introduced a new “service” that allows visitors to stream movie and TV show torrents in a web browser, eliminating the need to install a standalone third-party BitTorrent client. This is made possible by the Torrents-Time browser Plugin, the maker of which insists that its software doesn’t break any laws because it’s developed for streaming legal content. The anti-piracy group BREIN sees it differently.

Legal or not, using Torrents-Time to stream content from the likes of The Pirate Bay is risky business, and not just from a legal standpoint. Last week, Andrew Sampson (the creator of the Music Streaming App Aurous) took a close look at the Torrents-Time plugin and discovered that it has a number of issues that should persuade potential users not to use it.

According to a post, the plugin “abuses” cross-origin resource sharing, or CORS, which allows a resource like a web page to request a resource from another domain, such as an image. Typically, web pages will load resources like scripts, images, and CSS stylesheets that are served up from a different domain. In the case of the plugin, it exposes a CORS-enabled XHR object, allowing an attacker to inject a few lines of code.

The result? Forced piracy. With just a single line, Sampson says he can force a user to torrent whatever he wants, even if the user had no intention of streaming that particular content. Hackers can perform this code injection with any content, and use any publisher ID in the process. Remember, the Torrents-Time plugin isn’t just streaming a movie to your browser: it’s sending torrent bits to other users. That means you’re pirating illegal content if the hacker forces copyrighted content into the stream.

Next up, he says that anyone with access to JavaScript on a website, such as an advertiser, can see the Torrents-Time plugin user and send that information using Torrents-Time’s exposed XHR object. Even more, the Torrents-Time servers can log your IP address, country of origin, user agent, cookies, and more. Sampson says there’s also a set of private keys that are masking something within the C code that’s making HTTP requests.

Other concerns Sampson has include the ability to redirect the download for the plugin, XSS vulnerability it brings to the hosting site, high CPU usage, and program crashes. For the latter, he said that sending random strings to crash the program indicated that a possible buffer overflow is “waiting to be exploited.”

As reported last week, The Pirate Bay isn’t the only torrents-based site using this plugin. Kickass Torrents will be using Torrents-Time as well as Online.porntime.ws, Videomax.is, and Torrentproject.se. Sampson suggests that sites remove this plugin immediately, and if you’ve downloaded the plugin into your browser, remove it now.

In response to the report, Torrents-Time said that the problem regarding starting torrents without the user’s knowledge will be fixed in the latest update. The company also acknowledged that the plugin has root access on OS X, but this was needed to implement the VPN service; it also stated that the XSS vulnerability has nothing to do with the plugin, and solely relies on The Pirate Bay.

“Andrew Sampson, creator of the Aurous music streaming app, which was shut down after a law suit leading to Sampson's shame and heavy losses, apparently decided that if he was pulled down from the scene of content sharing, nobody should exist there,” Torrents-Time states in its letter to TorrentFreak. “Apparently being hateful to everything around file sharing, he invents false accusations against Torrents Time with an aim to have it blocked or uninstalled. Or maybe he just wants the publicity, so he can finally find a job.”

Ouch. The response letter is rather lengthy and colorful, but refutes every complaint made by Sampson. For now, it's probably best to hold off on streaming torrents.