Hackers can use malicious subtitles to remotely take control of your device

Do you use Kodi, Popcorn Time, VLC or Stremio? Do you use subtitles while you watch? If so, then you need to update the platform as Check Point researchers revealed that not all subtitles are benign text files and hackers can remotely take control of any device running vulnerable software via malicious subtitles.

The attack is not in the wild, since Check Point developed the proof of concept attack vector; however, with news of the attack vector and an estimated 200 million video players and streaming apps running vulnerable software, attackers might jump on the malicious subtitle wagon to gain remote access to victims’ systems.

Check Point pointed out that Kodi has nearly 40 million visitors per month, VLC has over 170 million downloads and Popcorn Time likely also has millions of viewers. With all being vulnerable, researchers called the malicious subtitle attack “one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.”

Subtitles are often treated as a trusted source, automatically downloading from third-party repositories. There are dozens of subtitle formats and numerous shared online repositories like OpenSubtitles.org. The repositories can be gamed, allowing attackers “to take complete control over the entire subtitle supply chain.”

Leave a Reply

Your email address will not be published. Required fields are marked *