Researchers from Check Point have discovered a nasty vulnerability in streaming software that allows malicious subtitles to open an attack vector style security breach onto devices running streaming software such as Kodi, VLC, strem.io and Popcorn Time. It is equivalent to clicking “Yes” to installing malicious software from a website without ever seeing the prompt. Check Point researchers note that “We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years”. The vulnerability allows the hacker to have total control of the device.

The Check Point researchers describe the attack vector as a seemingly innocent chain of trust where users choose a subtitle thinking that it is nothing more than a text file. Antivirus developers pay little to no attention to the subtitle file formats as different streaming software may have 25 or more subtitle types that it can access. Each of these different formats opens the streaming software, and thus the user’s device, to vulnerabilities. Since it is considered just innocent subtitles, little has been done to patch the security holes over the years.



It is extremely easy to spread the malicious subtitle files as the most popular subtitles are automatically loaded by many streaming media players. Subtitle repositories such as OpenSubtitles.org rank and index subtitles. The Check Point researchers also noted that it was even easier to manipulate the subtitle rankings on these websites to make sure that the malicious files are ranked highest. I would like to thank TorrentFreak for the original article that I referenced.

By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

Which media players are affected?

To date, we tested and found vulnerabilities in four of the most prominent media players: VLC, Kodi, Popcorn Time and Stremio. We have reason to believe similar vulnerabilities exist in other media players as well. We followed the responsible disclosure guidelines and reported all vulnerabilities and exploits to the developers of the vulnerable media players. Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point.

Discussion

Source: [H]ardOCP – Malicious Subtitles Allow Hackers to Commandeer Devices Running Streaming Software