Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com)

Posted by msmash on from the security-woes dept.

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.

25 of 126 comments (clear)

  1. Always verify user input and external data by Anonymous Coward · · Score: 3, Insightful

    If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

    1. Re:Always verify user input and external data by TWX · · Score: 2

      Dammit, wrong URL.

      Should've been to XKCD https://xkcd.com/327/

      Guess I should check my buffers before pasting and submitting stuff.

      --
      Do not look into laser with remaining eye.
  2. Plain Text by Gornkleschnitzer · · Score: 4, Insightful

    How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

    1. Re:Plain Text by squiggleslash · · Score: 4, Informative

      Not that it changes your question much, but I think a significant number of subtitle systems (I know DVD does this for one) are based on low depth bitmaps, not text. That said, that makes it harder to understand why they'd be so easy to code badly, given bitmaps have an easily calculated maximum size.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Plain Text by buchner.johannes · · Score: 2

      From TFA:

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      But it does not say exactly what is the vulnerability, maybe that is still embargoed.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    3. Re:Plain Text by Anonymous Coward · · Score: 4, Interesting

      I remember when I wanted to get the subtitles off a blu ray, it was done via OCR. Support your .srt creating peeps, it's a pain in the ass.

      Might have something to do with font styles, alphabets and such. Easier to have it per-rendered than text formatting logic in the players.

    4. Re:Plain Text by Existential+Wombat · · Score: 2

      Ask Bobby Tables!

    5. Re:Plain Text by jedidiah · · Score: 2

      Pretty much.

      Closed captions are a text stream. DVD/BD subtitles are image overlays.

      --
      A Pirate and a Puritan look the same on a balance sheet.
    6. Re:Plain Text by Merk42 · · Score: 4, Funny

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      25?! Ridiculous!
      We need to develop one universal standard that covers everyone's use cases.

    7. Re:Plain Text by Anonymous Coward · · Score: 5, Informative

      Remember, DVD players hit the mass market in 1997. Rendering a font in real-time for each language would have increased the cost of the processor. Compositing could be handled by the same video chipset that handled animated menus.

    8. Re:Plain Text by thegarbz · · Score: 4, Insightful

      plain-text subtitle system

      What on earth makes you think the subtitle system is plain text? There is one system that is plain text and that is the SRT format.

      The rest, they are made up of various features such as displaying static images, controlling fade, dynamic adjustment of font and colouring to suit things like Karaoke. There are heaps of different subtitle formats to chose from each with their own mix of either plain text or encoded formats. Even among the plain text ones it isn't simple. Want to use WebVTT? Well now you have your subtitle system tied to a HTML / CSS processor.

    9. Re:Plain Text by omnichad · · Score: 2

      There are a lot of languages in the world. Bitmaps ensure that any player can render any character. And it's also the same system that handles overlays on the menu systems, so less code overall too. Players are relatively dumb devices that don't need their own font system, nor do they need to support decoding every character in Unicode.

      Also, where the subtitle is placed on the screen is sometimes important to avoid covering important action on the screen. A cinemascope movie has extra black space at the bottom of the 16:9 image and you can set position there. These can be done with text-based coordinates, but it's a matter of convenience.

    10. Re:Plain Text by Merk42 · · Score: 2

      Yes, that is the comic I literally quoted, good job.

  3. Hacking: A Beginner's Guid^k^s^#8#94873&^& by olsmeister · · Score: 2

    Those subtitles will get you every time.

  4. Re:How to avoid these vulnerabilities by war4peace · · Score: 4, Interesting

    What does this have to do with anything?
    I have bought a number of movies during the years, most of which did not have a readily-available Romanian subtitle at release. My wife doesn't speak English but understands it to some extent, the threshold being thick accents. Try to watch "Snatch" without subtitles, even in English, and you'll understand. "Doo ya leik dags?"

    I have a bunch of movies on DVDs which I can enjoy but she can't, so I either rip them to HDD or download the same movie online, then attach a subtitle to it. Now we can both enjoy the movie at its fullest.

    What I am doing is not piracy by any means, it's an extension of already existing features which I legally own the right to use.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  5. Kodi has already patched this hole by CeasedCaring · · Score: 2

    See https://kodi.tv/article/kodi-v...

  6. Look out for those bootleg Hungarian dubs! by ToTheStars · · Score: 5, Funny

    "Zis tabakonist is scratched. I weel not buy eet."

    "My hovercraft is full of eels. Do you want to come back to my place, bouncy-bouncy?"

    Of course, it's the German gag dub that's the real killer: "Wenn ist das Nunnstuck, git und Slotermayer..."

  7. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 5, Insightful

    If you want to ensure that you don't fall victim to these vulnerabilities, there's an easy way to be sure you're safe. Don't break the law by pirating content and software. If you refrain from piracy, you will be safe. Hope that helps.

    You are quite wrong, on all accounts.

    I download spanish subtitles for movies we've legally purchase all the time, because they did not come with those subtitles. So, you are wrong about legal purchases negating the need for these subtitles.

    I've also gotten computer viruses from legally purchased and authentic software. Got one from a game I bought at Gamestop, back when games came on floppies. Anti-virus caught it as soon as the disk went into the drive. So, you are wrong about legal purchases keeping you safe.

    Remember Sony's root kit debacle? Sometimes you're not safe from the corporation you're buying from.

    --
    My karma is in a nose dive
  8. Nothing new here by bbsguru · · Score: 2
    "Malicious Subtitles". New? Hardly!

    Did you never watch Mystery Science Theater 3000?

  9. Does this apply to third-party vendors... by __aaclcg7560 · · Score: 2

    Last month I recorded a video of William Shatner telling the story about the biycle at Silicon Valley Comic Con 2017. I left my external mic at home, so the audio quality wasn't great. I paid $5 to Rev to create the captions and upload directly to my YouTube video. Nice service. I wonder if my videos could get malicious captions that way.

  10. Re:How to avoid these vulnerabilities by interkin3tic · · Score: 2

    AC is being sarcastic. For the willfully ignorant/forgetful out there

    You're
    still
    not
    safe.

  11. Re:How to avoid these vulnerabilities by Sigma+7 · · Score: 2

    If you refrain from piracy, you will be safe.

    If you refrained from piracy, your Commodore 64's drive would need repair much more frequently because an anti-piracy measure involves reading "bad" sectors and causing the hard drive to knock at sector 0 (and thus misalign the head.)

    If you refrain from piracy, you get a free rootkit while you play games such as Street Fighter V.

    If you refrain from piracy in the future... well, I'm uncertain what will happen on the technical side, but you won't be able to purchase Alan Wake if you missed the recent fire sale.

    I'm not advocating piracy, but the current situation is that anti-piracy mechanisms don't exactly respect the customer, or those that want to buy the products.

  12. Re: subtitle lulz by Anonymous Coward · · Score: 2, Insightful

    And, if you ever lose your hearing, as I did in the US Navy, you'll find subtitles to be a necessity. I hope you're not claustrophobic, you'd go crazy in that closed little mind of yours.

  13. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 2

    Mexico is region one. I'm in the US, in a household of all US citizens, but a household of majority spanish speakers. So, only region one media and players are available to us.

    --
    My karma is in a nose dive
  14. Re:subtitle lulz by itamihn · · Score: 2

    As a non-native English speaker, the subtitles, whereas not really necessary, do come in handy.