March 29, 2005

C.U. Group Finds LimeWire Flaw

Print More

A Cornell University research group recently uncovered a security flaw in the prominent peer-to-peer file-sharing program LimeWire. Prof. Emin Gun Sirer, computer science, and Kevin Walsh grad discovered a security flaw in LimeWire which would allow a remote user to “read any file on a host running LimeWire regardless of whether or not it was being shared,” explained Sirer.

Sirer and Walsh are in the process of developing a program named Credence which is designed to “allow honest peers to judge authenticity of files,” Walsh said.

“The novel part of our system is how we try to figure out which of your peers should be trusted,” he added.

Greg Bildson, the chief technology officer and chief operations officer of Limewire, said that “We prepared patches for the security issues within hours of receiving reports of the problem. Our production code being distributed to users was updated within a day and users were signaled for upgrade.”

Bildson expanded upon his statement of LimeWire’s security.

“We’ve never had a security vulnerability like this before. Our open source contributors have certainly pointed out bugs and added meaningful contributions in the past,” he said.

They were not aiming to discover security holes such as the one found in Limewire. The hole was discovered essentially by accident, as a by-product of the research group’s usage of the Limewire code. Even though it is not the goal of the research group to look for security holes, “we always have security in mind” Walsh said.

Credence, the program being developed by Walsh and Sirer, is designed to “essentially give you a thumbs-up or thumbs-down on files” Sirer said. Credence is being designed to drastically upgrade the reliability of search results of filesharing networks.

Once completed, Credence will function as a plug-in for Limewire and other peer-to-peer programs which utilize the Gnutella file-sharing network.

Archived article by Bryan Wolin
Sun Contributor