Put Away The Popcorn: Viruses Hidden In Subtitles Can Let Hackers Take Over Your Device

0
372

May 25, 2017

Hackers are hiding viruses in video subtitle files for media players, allowing them to take over users' devices.

May 25, 2017

Hackers are hiding viruses in video subtitle files for media players, allowing them to take over users' devices.

A staggering 200 million users of streaming platforms such as Popcorn Time, Kodi, Stremio and VLC are believed to be vulnerable, say researchers at Check Point. They describe it as 'one of the most widespread, easily accessed and zero-resistance vulnerabilities reported in recent years'.

The hack only affects subtitle files from third-party sites – watching a legitimate copy with its own subtitles should be fine.

But the attack can affect any device: a PC, smart TV or even a mobile device. It's delivered when movie subtitles are loaded by the user’s media player – which treats them as a trusted source. And the subtitle repositories can even be manipulated into giving the malicious subtitles a higher score, making them more likely to be served up to the user.

"This method requires little or no deliberate action on the part of the user, making it all the more dangerous," says the team.

"Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, anti-virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk."

Check Point has released a video showing the exploit in action, showing Disney’s Frozen being played on Popcorn Time, running on a Windows PC.

When an English subtitle is added, the attacker, using a Linux machine, gains full control over the victim’s PC.

Kodi, VLC and Stremio have already released official fixes, which are available to download here, here and here, and which will be applied automatically to users of the latest version. Popcorn Time has created a fix that can be manually downloaded via this link.

But it's not known whether other players may be equally vulnerable – meaning you may want to think twice before watching that foreign movie tonight.


Courtesy: Forbes