A team of researchers at Check Point has discovered vulnerabilities in numerous media players that allows a hacker to take full control of any device when a malicious subtitle file is used.
By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. checkpoint said in blog.
The firm estimates 200 million people are potentially at risk.if you’re using a media player to watch a legitimate copy of a film that already has subtitles, you’re probably just fine. But if for any reason you visited one of the numerous websites that allow you to download subtitles for movies in various languages, you could be at risk.
These are the media players that are affected and how to update them:
PopcornTime – Created a Fixed version, however, it is not yet available to download on the official website. The fixed version can be manually downloaded here .
Kodi – Created a fix version, which is currently only available as source code release. This version is not yet available to download in the official site. Link to the source code fix is available here .
VLC – Officially fixed and available to download on their website
Stremio – Officially Fixed and available to download on their website
According to checkpoint researcher,There are a number of shared online repositories, such as OpenSubtitles.org, that index and rank movie subtitles. Some media players download subtitles automatically; these repositories hold extensive potential for attackers. Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction.