Planning to binge watch some films with subtitles this week? An emerging research revealed that popular streaming applications like Kodi, Popcorn Time, and VLC are placing millions of users at risk of cyberattack as hackers use malicious subtitles to gain "full control" of PCs as well as smart TVs and smartphones.
Security researcher Check Point warned on Tuesday that criminals could easily come up with text files for movies and TV shows, and could take over any device running that software by exploiting bugs in the media players. The group discovered vulnerabilities in four of the most popular media players including Kodi (XBMC), Popcorn Time, Stremio, and VLC, although the security of other streaming media players could not be guaranteed.
Each media player usually used public repositories of subtitle files like OpenSubtitles.org. These subtitles are being indexed and ranked based on popularity and usefulness, and players will typically download and run the most popular file for the selected film.
However, Check Point discovered that hackers could easily manipulate the online repositories' ranking algorithms and force their subtitles up to the top spot. The malicious subtitles made by cybercriminals are thus automatically downloaded by media players, bypassing all user interactions.
"The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities," researcher Omri Herscovici said, noting that the system is vulnerable to attack because it is highly fragmented.
So far, the vulnerabilities have been disclosed to the companies concerned, and all media players concerned have already updated their system, Forbes reported. Stremio said an automatic update will be carried out, but a manual process could also be done (click here). Kodi also fixed the bug via this link, while Popcorn Time said a patch had been released and was available on this link. VLC also said that the new VLC 2.2.5 has addressed major issues and new updates are expected to be rolled out later this week.
That being said, Herscovici advises all users to make sure that their streaming players have been updated to safeguard and prevent potential cyberattacks.
Watch the video below to see how criminals carry out the attack.