Media players expose users to hacker attacks via subtitles
Security researchers from Check Point have discovered a major vulnerability in popular media players, like VLC, Kodi and Popcorn Time, which leaves users vulnerable to hacker attacks via malicious subtitles. The security firm estimates that the number of potential victims is around 200 million.
Media players give users the option to load subtitles from repositories, which can be tricked by attackers to rank their altered subtitles higher. This leads to those malicious subtitles being recommended to the user. If they are loaded, attackers can gain control over "any device running them." Check Point notes that the "potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more."
And we are not talking just about PCs here, as apparently this vulnerability can also be exploited on Smart TVs and mobile devices. But how exactly does it leave users exposed?
If you've ever opened a subtitle, then you probably know just what sort of information you can expect to be there. It has time-stamps and the line that should appear on the screen during that time. It may also contain other data too, but, generally speaking, that is the minimum amount of information that you will see, regardless of the format.
Because subtitles are not expected to be turned into malware, media players treat them as "nothing more than benign text files." There are over 25 formats in use, according to Check Point, and many of them are supported by the popular players to make it easy for users to find a working subtitle for the video they are about to watch.
And because of that assumption, media players do not check what exactly is in there and whether the information that is included belongs in a subtitle or not. Security software is said to make the same assumption, though I suspect that due to its nature it is more likely to pick up on malicious code. It is not yet clear if this vulnerability has been exploited already.
Check Point has reached out to the affected media players, and some of the big names have issued new releases which close this attack vector. VLC, for instance, has version 220.127.116.11, which includes the fix, but other developers have yet to incorporate the patches into public releases.
You can watch a proof of concept below.