SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Hackers target subtitle files in major media players - including VLC
Mon, 29th May 2017
FYI, this story is more than a year old

If you use media players such as VLC, Kodi, Popcorn-Time and strem.io, chances are your device has a vulnerability that allows cyber attackers to create malicious subtitle files, which are then downloaded directly to your media player.

Check Point researchers discovered the vulnerability last week, with estimates that around 200 million video players are at risk. They're calling it one of the most widespread, easily-accessed and zero-resistance vulnerabilities in years.

The attack works by using subtitle databases that are trusted by both users and media players by default. Those databases such as OpenSubtitles.org can also host malicious content, which is then given false trust rankings to boost it to the top of the list. Users just need to download the top results and immediately the payload is delivered as the media player downloads the infected subtitles.

Attackers can then take control of victims' machines, whether that machine is a PC, mobile device or smart TV. They could then install malware, steal sensitive information or conduct mass DoS attacks.

"Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk," Check Point's blog says.

Researchers believe that it shows how flawed media players are when it comes to security and subtitle file processing. Subtitle formats number more than 25, and each format comes with different features. They state that media players often use many different formats to stitch together subtitle files, which means there are massive holes in each kind of software.

Researchers also state that VLC has reached more than 170 million downloads and Kodi (XBMC) has more than 10 million. Potential victims could also in the hundreds of millions if the software isn't patched.

While researchers haven't tested other media players, they suspect similar holes will also exist. Since Check Point disclosed the vulnerabilities, VLC, Kodi, Stremio have made updated versions available on their website. PopcornTime has also created a fixed version.

How does the attack work? Find out more in the video below.