sb-nz logo
Story image

Hackers target subtitle files in major media players - including VLC

29 May 2017

If you use media players such as VLC, Kodi, Popcorn-Time and strem.io, chances are your device has a vulnerability that allows cyber attackers to create malicious subtitle files, which are then downloaded directly to your media player.

Check Point researchers discovered the vulnerability last week, with estimates that around 200 million video players are at risk. They're calling it one of the most widespread, easily-accessed and zero-resistance vulnerabilities in years.

The attack works by using subtitle databases that are trusted by both users and media players by default. Those databases such as OpenSubtitles.org can also host malicious content, which is then given false trust rankings to boost it to the top of the list. Users just need to download the top results and immediately the payload is delivered as the media player downloads the infected subtitles.

Attackers can then take control of victims' machines, whether that machine is a PC, mobile device or smart TV. They could then install malware, steal sensitive information or conduct mass DoS attacks.

"Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk," Check Point's blog says.

Researchers believe that it shows how flawed media players are when it comes to security and subtitle file processing. Subtitle formats number more than 25, and each format comes with different features. They state that media players often use many different formats to stitch together subtitle files, which means there are massive holes in each kind of software.

Researchers also state that VLC has reached more than 170 million downloads and Kodi (XBMC) has more than 10 million. Potential victims could also in the hundreds of millions if the software isn't patched.

While researchers haven't tested other media players, they suspect similar holes will also exist. Since Check Point disclosed the vulnerabilities, VLC, Kodi, Stremio have made updated versions available on their website. PopcornTime has also created a fixed version.

How does the attack work? Find out more in the video below.

Story image
Palo Alto Networks advances attack surface management with Expanse
"By integrating Expanse's attack surface management capabilities into Cortex after closing, we will be able to offer the first solution that combines the outside view of an organisation's attack surface with an inside view to proactively address all security threats."More
Story image
Top security threats for 2021
2021 will see several themes develop into full blown security threats, many of them borne from the struggles of pandemic-stricken 2020, writes Wontok head of technology Mick Esber.More
Story image
2020 saw a surge in detected malicious files — Kaspersky
Kaspersky detected more trojans, backdoors and worms than last year, representing an overall 5.2% increase in detected malicious files year-on-year.More
Story image
Check Point exposes Android malware vendor using dark net to rebrand products
Check Point security researchers have exposed an Android malware vendor using a marketer on the dark net to rebrand its products, with the intention of supercharging business and throwing off security vendors. More
Story image
UPDATED: RBNZ ascribes data breach to third-party file sharing service
“The nature and extent of information that has been potentially accessed is still being determined, but it may include some commercially and personally sensitive information,” says RBNZ Governor.More
Story image
Emotet remains leading malware in global threat index
The malware has impacted 7% of organisations globally, following a spam campaign which targeted more than 100,000 users per day during the holiday season.More