Popular media players like Kodi, Popcorn Time and VLC can be used to take control over the computer on which they run through malcious subtitles, security company Check Point warns. According to the company about 200 million video players and streamers are vulnerable.
Subtitles are usually considered as non harmful, but according to the researchers this is incorrect. There are currently more than 25 different subtitle formats, each with their own unique features and possibilities.
"Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities," the Check Point research team writes on its website. Through a malcious subtitle hackers can take complete control over any device running them, they warn.
Check Point checked VLC, Kodi, Popcorn Time and Stremio but likely also other media players are likely vulnerable. All the tested players allowed random code to be executed on the system through malicious subtitles. These subtitles can be downloaded from all kinds of sites where users themselves can upload and rate them. Some players also have the option to automatically download subtitles. An attacker could manipulate the ranking system of a website to make his subtitle rank higher.
The developers of the media players have been warned by Check Point and some of the issues were quickly resolved, while others are still investigated. Not all details on the vulnerabilities have been disclosed yet.
"To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point," Check Point writes.
