Lost in translation or hacked in translation? Subtitles with VLC, Kodi or another player? Better be careful where you download your subtitles from: It turns out that attackers can infect subtitles with malicious code to exploit vulnerabilities in popular media players and take control of your device.
Researchers from security firm Check Point have discovered an unusual attack, which relies on stealthily injecting malware into subtitle files. The list of vulnerable players so far includes popular applications such as: VLC, Kodi, Popcorn Time and Stremio.
According to their findings, security experts estimate that there are about 200 millions streamers running vulnerable software, making this particular attack "one of the most widespread" at the moment.
Check Point provides a PoC that shows how remote code execution can take place in Popcorn Time and Kodi (you will find it at the end of the publication).
What makes the attack particularly important is that many of the media players involved as well as users consider subtitle repositories as a "reliable source".
In addition, Check Point warns that anti-virus software and the like alternatives security solutions often interpret subtitles as "benign text files" and scan them without trying to carefully assess their nature.
“The attack relies heavily on the poor security situation in the way some media players process subtitle files, but also on the large number of subtitle formats. To begin with, there are over 25 subtitle formats that we use, each with unique features characteristics and capabilities", says the article on their blog.
Since then, Check Point has informed the major media developers affected. Unfortunately, while some issues have already been corrected, there are others that still make the software vulnerable to this kind of attack. For this reason, the security company decided not to reveal further technical details to prevent further attacks.
Until then: Better avoid popular subtitle repositories.