Home > Specs > BitTorrent
BitTorrent SHA-1 Collision Demo
Written by Kevin Hearn (kh@tixati.com)
Last update October 6, 2025

The following demonstration that shows how easy it is to make a torrent with two versions of the same piece that both pass the SHA-1 hash check.

This could be used to establish a torrent containing a piece of software that appears safe and works correctly, but is later transparently swapped out for the alternate version containing the other collision block.  The software could detect this via a self-check and then run an alternate code path.

Other document and media files could also be pre-sabotaged depending on the specifics of the format and the viewer software.

The demonstration is contained in a small zip file.

BitTorrent_Collision_Demo.zip  9.1 KB

After extraction, there will be three files.  A readme file, and then two shell scripts named test.sh, one in folder A, one in folder B.

In Tixati or perhaps Transmission, create a new single-file torrent from either of the two test.sh files.  In Tixati, the protocol must be set to v1.0.  Notice that the info hash is exactly the same.  If you attempt to create the second torrent before removing the first, you will get a duplicate torrent warning.

The fact that the files are different can be verified on the command line:


For a demonstration of how this could be used, refer to the content of the shell script:


This is obviously a very simplistic program, but it clearly demonstrates the overall concept.  In more complex programs, it would be trivial to hide such functionality.



https://tixati.com/specs/bittorrent/sha1_problems

https://tixati.com/specs/bittorrent/v3

https://en.wikipedia.org/wiki/SHA-1

https://sha-mbles.github.io/