Are you a movie fan? Streaming content voraciously through Netflix, Amazon Video or Vudu may be your thing but chances are, you are also familiar with a bunch of third-party media players. Piracy concerns aside, not only do these players support a wide variety of formats, they are also versatile and are great for viewing local media libraries.
If you routinely use one of these popular media players – VLC, Kodi, Popcorn Time and Stremio – please be cautious when you download and install subtitle files from the web. According to Check Point researchers, hackers have found a way to exploit vulnerabilities in these media players and take over computers using booby-trapped subtitles.
By inserting malicious code within these specially-crafted subtitles, attackers can remotely control a computer as soon as the media player loads the booby-trapped file. Since the code is embedded within the subtitle file and runs through the media player, hackers can bypass antivirus and security software.
Scarier still, as shown in the video below, victims may not even know that their computers are already compromised.
In the demonstration video, Windows computers running Popcorn Time and Kodi are attacked. As soon as the booby-trapped subtitle file is loaded for the particular movie, the exploit runs in the background, allowing the attacker to remotely view and control the victim’s computer discreetly.
Movie subtitles come in a wide variety of formats and can be downloaded or loaded in a media player freely from the web using sites like OpenSubtitles.org. The problem is that since these sites are also publicly sourced, anyone can simply create a user profile and upload their own files. The attackers then manipulate these sites ranking systems to have their poisoned subtitles appear on top of the search results.
This means that with media players like Kodi that automatically select and load the top ranked subtitle file for any particular movie, the exploit can be run without user interaction at all.
Check Point stated that they have already informed the makers of VLC, Kodi, Stremio and Popcorn Time before going public with the vulnerabilities on Tuesday. So far, VLC and Stremio have already patched their players while the makers of Kodi and Popcorn Time released their own fixes as well. Additionally, the researchers also warned that similar but yet to be found vulnerabilities could exist in other media players.
To protect yourself, make sure to update your media players to the latest versions immediately. VLC was patched in version 2.2.5 released two weeks ago but more fixes are coming later this week.