Story image

Hackers target subtitle files in major media players - including VLC

29 May 17

If you use media players such as VLC, Kodi, Popcorn-Time and strem.io, chances are your device has a vulnerability that allows cyber attackers to create malicious subtitle files, which are then downloaded directly to your media player.

Check Point researchers discovered the vulnerability last week, with estimates that around 200 million video players are at risk. They're calling it one of the most widespread, easily-accessed and zero-resistance vulnerabilities in years.

The attack works by using subtitle databases that are trusted by both users and media players by default. Those databases such as OpenSubtitles.org can also host malicious content, which is then given false trust rankings to boost it to the top of the list. Users just need to download the top results and immediately the payload is delivered as the media player downloads the infected subtitles.

Attackers can then take control of victims' machines, whether that machine is a PC, mobile device or smart TV. They could then install malware, steal sensitive information or conduct mass DoS attacks.

"Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk," Check Point's blog says.

Researchers believe that it shows how flawed media players are when it comes to security and subtitle file processing. Subtitle formats number more than 25, and each format comes with different features. They state that media players often use many different formats to stitch together subtitle files, which means there are massive holes in each kind of software.

Researchers also state that VLC has reached more than 170 million downloads and Kodi (XBMC) has more than 10 million. Potential victims could also in the hundreds of millions if the software isn't patched.

While researchers haven't tested other media players, they suspect similar holes will also exist. Since Check Point disclosed the vulnerabilities, VLC, Kodi, Stremio have made updated versions available on their website. PopcornTime has also created a fixed version.

How does the attack work? Find out more in the video below.

How AI can fundamentally change the business landscape
“This is an extremely interesting if not pivotal time to discuss how AI is being deployed and leveraged, both in business and at home.”
CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Game review: Just Cause 4 on PC
Rico Rodriguez returns to wreak over-the-top havoc for a fourth time. This time the island nation of Solís is our hero’s sandbox, ripe for destruction.
Hands-on review: Logitech G502 HERO gaming mouse
My favourite feature of the G502s is the ‘Sniper’ button, which is found on the left hand side of the device. When held, this lowers the DPI and allows you to achieve maximum accuracy whilst honing in on a kill on your favourite FPS title.
Interview: ZeniMax Online's game director talks Elder Scrolls Online
FutureFive’s Darren Price sat down with Matt Firor, ESO’s designer and now president and game director at ZeniMax Online.
IDC: Tablets stay dead, notebooks keep head above water
An IDC report predicts a soft personal PC market, slipping into further decline with the exception of notebooks, gaming PCs, and business PC upgrades.
A hands-on guide to Christmas shopping by Santa’s IT elf
Ho, ho, ho! So you’re back again for more inspiration for that hard-to-buy-for person in your life?