Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com)

Posted by msmash on from the security-woes dept.

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.

5 of 126 comments (clear)

  1. Always verify user input and external data by Anonymous Coward · · Score: 3, Insightful

    If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

  2. Plain Text by Gornkleschnitzer · · Score: 4, Insightful

    How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

    1. Re:Plain Text by thegarbz · · Score: 4, Insightful

      plain-text subtitle system

      What on earth makes you think the subtitle system is plain text? There is one system that is plain text and that is the SRT format.

      The rest, they are made up of various features such as displaying static images, controlling fade, dynamic adjustment of font and colouring to suit things like Karaoke. There are heaps of different subtitle formats to chose from each with their own mix of either plain text or encoded formats. Even among the plain text ones it isn't simple. Want to use WebVTT? Well now you have your subtitle system tied to a HTML / CSS processor.

  3. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 5, Insightful

    If you want to ensure that you don't fall victim to these vulnerabilities, there's an easy way to be sure you're safe. Don't break the law by pirating content and software. If you refrain from piracy, you will be safe. Hope that helps.

    You are quite wrong, on all accounts.

    I download spanish subtitles for movies we've legally purchase all the time, because they did not come with those subtitles. So, you are wrong about legal purchases negating the need for these subtitles.

    I've also gotten computer viruses from legally purchased and authentic software. Got one from a game I bought at Gamestop, back when games came on floppies. Anti-virus caught it as soon as the disk went into the drive. So, you are wrong about legal purchases keeping you safe.

    Remember Sony's root kit debacle? Sometimes you're not safe from the corporation you're buying from.

    --
    My karma is in a nose dive
  4. Re: subtitle lulz by Anonymous Coward · · Score: 2, Insightful

    And, if you ever lose your hearing, as I did in the US Navy, you'll find subtitles to be a necessity. I hope you're not claustrophobic, you'd go crazy in that closed little mind of yours.