Wikipedia lists Xunlei Limited’s main product as a Bittorrent client, and maybe a decade ago it really was. Today however it’s rather difficult to describe what this application does. Is it a download manager? A web browser? A cloud storage service? A multimedia client? A gaming platform? It appears to be all of these things and more.
It’s probably easier to think of Xunlei as an advertising platform. It’s an application with the goal of maximizing profits through displaying advertising and selling subscriptions. As such, it needs to keep the users on the platform for as long as possible. That’s why it tries to implement every piece of functionality the user might need, while not being particularly good at any of it of course.
Just replace Xunlei with any corporate product name from Chinese IT industry.
https://palant.info/2024/03/06/numerous-vulnerabilities-in-xunlei-accelerator-application/
TL;DR: 迅雷裡到處都是幾年乃至十年陳含有各種已知CVE的各種第三方組件,包括但不限於Chromium、libpng、ffmpeg等,且為了方便有大量接口暴露在本地隨機端口上,authorization基本上相當於沒有。
Almost Secure
Numerous vulnerabilities in Xunlei Accelerator application
Looking into Xunlei Accelerator, I discovered a number of flaws allowing remote code execution from websites or local network. It doesn’t look like security was considered when designing this application.
