Users of popular media players like PopcornTime, VLC and Kodi can be hacked by malicious subtitles; a warning by security company Check Point which should be taken seriously. According to the company, there are about 200 million video players and streamers running the vulnerable software.
Subtitles are often seen as innocent text files, but according to the researchers, these text files can be used to perform malicious actions on victim’s devices.
There are over 25 different subtitle formats in use, each with unique features and capabilities. Media players often need to handle multiple subtitle formats, using any media player in a different way. Like other cases of fragmented software, this causes many vulnerabilities.
Through a malicious subtitle, it’s possible to completely take over the platform on which the media player or streamer is running, so they warn.
For their research, they looked at VLC, Kodi, Popcorn Time and Stremio, but probably other media players are vulnerable. With all four tested players, it is possible to perform random code on the system via a malicious subtitle. Subtitles can be downloaded from different websites, allowing users to upload and review subtitles themselves.
Some players can also download subtitles automatically. An attacker could manipulate the ranking system of the website to get his own malicious subtitle on top.
Check Point warned the developers of the various media players. Some issues have already been solved, while others are still being investigated. In order to give developers more time to fix vulnerabilities, it is decided not to release any further technical information at this time. However, the security company refers to new versions of the media players surveyed in which updates have been made.