Media players wide open to malware fired from booby-trapped subtitles
VLC, Kodi, Popcorn Time and Stremio were all vulnerable
Hackers have gone back to the future by attempting to infect targets with booby-trapped subtitle files.
By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can hope to take complete control of any device running the vulnerable platforms. Hackers have pushed trojans under the guise of subtitle files as far back as 2003.
This time around vulnerabilities in particular media player software packages are playing a role in facilitating the attack. Users of popular players – including VLC, Kodi, Popcorn Time and Stremio – are most at risk, according to researchers at security firm Check Point.
The vendors involved all addressed the reported issues before Check Point went public with a warning on Tuesday. Stremio and VLC have also released new software versions incorporating the fix. Similar (as yet undiscovered) vulnerabilities may exist in other streaming media players, Check Point warns.
Although they have legitimate uses, subtitle files are typically downloaded in association with pirated foreign-language films.
Shared online repositories, such as OpenSubtitles.org, index and rank subtitle files. Check Point researchers also demonstrated that by manipulating the repositories' ranking algorithms, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain.
More details on the method can be found in a blog post by Check Point here. A video of how the attack works can be found below. ®