Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malicious Subtitles Threaten VLC, Kodi and Popcorn Time Users, Researchers Warn (torrentfreak.com)

Posted by msmash on from the security-woes dept.

Millions of people risk having their devices and systems compromised by malicious subtitles, according to a new research published by security firm Check Point. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes and in some cases, working on it. From a report: While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users. Researchers from Check Point, who uncovered the problem, describe the subtitle 'attack vector' as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years. "By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device," they write.

10 of 126 comments (clear)

  1. Always verify user input and external data by Anonymous Coward · · Score: 3, Insightful

    If it can be abused, then someone will do it. Why is it so difficult for developers to learn this?

  2. Plain Text by Gornkleschnitzer · · Score: 4, Insightful

    How on earth does one design a plain-text subtitle system capable of being instructed to execute code?

    1. Re:Plain Text by squiggleslash · · Score: 4, Informative

      Not that it changes your question much, but I think a significant number of subtitle systems (I know DVD does this for one) are based on low depth bitmaps, not text. That said, that makes it harder to understand why they'd be so easy to code badly, given bitmaps have an easily calculated maximum size.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Plain Text by Anonymous Coward · · Score: 4, Interesting

      I remember when I wanted to get the subtitles off a blu ray, it was done via OCR. Support your .srt creating peeps, it's a pain in the ass.

      Might have something to do with font styles, alphabets and such. Easier to have it per-rendered than text formatting logic in the players.

    3. Re:Plain Text by Merk42 · · Score: 4, Funny

      To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method.

      25?! Ridiculous!
      We need to develop one universal standard that covers everyone's use cases.

    4. Re:Plain Text by Anonymous Coward · · Score: 5, Informative

      Remember, DVD players hit the mass market in 1997. Rendering a font in real-time for each language would have increased the cost of the processor. Compositing could be handled by the same video chipset that handled animated menus.

    5. Re:Plain Text by thegarbz · · Score: 4, Insightful

      plain-text subtitle system

      What on earth makes you think the subtitle system is plain text? There is one system that is plain text and that is the SRT format.

      The rest, they are made up of various features such as displaying static images, controlling fade, dynamic adjustment of font and colouring to suit things like Karaoke. There are heaps of different subtitle formats to chose from each with their own mix of either plain text or encoded formats. Even among the plain text ones it isn't simple. Want to use WebVTT? Well now you have your subtitle system tied to a HTML / CSS processor.

  3. Re:How to avoid these vulnerabilities by war4peace · · Score: 4, Interesting

    What does this have to do with anything?
    I have bought a number of movies during the years, most of which did not have a readily-available Romanian subtitle at release. My wife doesn't speak English but understands it to some extent, the threshold being thick accents. Try to watch "Snatch" without subtitles, even in English, and you'll understand. "Doo ya leik dags?"

    I have a bunch of movies on DVDs which I can enjoy but she can't, so I either rip them to HDD or download the same movie online, then attach a subtitle to it. Now we can both enjoy the movie at its fullest.

    What I am doing is not piracy by any means, it's an extension of already existing features which I legally own the right to use.

    --
    ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  4. Look out for those bootleg Hungarian dubs! by ToTheStars · · Score: 5, Funny

    "Zis tabakonist is scratched. I weel not buy eet."

    "My hovercraft is full of eels. Do you want to come back to my place, bouncy-bouncy?"

    Of course, it's the German gag dub that's the real killer: "Wenn ist das Nunnstuck, git und Slotermayer..."

  5. Re:How to avoid these vulnerabilities by LordSkippy · · Score: 5, Insightful

    If you want to ensure that you don't fall victim to these vulnerabilities, there's an easy way to be sure you're safe. Don't break the law by pirating content and software. If you refrain from piracy, you will be safe. Hope that helps.

    You are quite wrong, on all accounts.

    I download spanish subtitles for movies we've legally purchase all the time, because they did not come with those subtitles. So, you are wrong about legal purchases negating the need for these subtitles.

    I've also gotten computer viruses from legally purchased and authentic software. Got one from a game I bought at Gamestop, back when games came on floppies. Anti-virus caught it as soon as the disk went into the drive. So, you are wrong about legal purchases keeping you safe.

    Remember Sony's root kit debacle? Sometimes you're not safe from the corporation you're buying from.

    --
    My karma is in a nose dive