Kodi App,VLC and other Media Players Now Prone to Hack by subtitles
Media players like Kodi App, PopcornTime, Stremio, and VLC, have been prone to malicious ‘attack by subtitles’. As reported by Check Point.
According to the researchers, things look pretty severe:
“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. (…) Each of the media players found to be vulnerable to date has millions of users, and we believe other media players could be vulnerable to similar attacks as well”.
While this is a serious breach in itself, what the Check Point announcement really picks up on is how this is an “overlooked” and relatively simple attack. As such attacks usually rely on the user doing something to initiate the malicious code. However, this attack relies on the code being initialized when subtitles accompanying video content are launched by the media player. The difference being that a user does not need to be tricked into activating a suspicious file or clicking through a link,Brilliant right?
Starting a video which makes use of subtitles, can easily activate the code. The weight of the user’s involvement in this particular technique, is minimal compared to the traditional methods used. Likewise, even anti-virus and other security-driven software might also be prone to overlooking such files due to their generally safe nature.
What is the root cause?
The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities.
Damage: By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s device, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.
Below is a video demonstration of how the attack works:
PopcornTime– Created a Fixed version, however it is not yet available to download in the official website.<></>
The fixed version can be manually downloaded via the following link:
Kodi App– Officially fixed and available to download on their website.
VLC– Officially fixed and available to download on their website.
Stremio– Officially Fixed and avilable to download on their website.