MixFormer TNW Writer
Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about his work on Twitter.
Better watch out where you download your subtitles from: It turns out attackers can infect subtitles with malicious code to exploit vulnerabilities in popular media players and take control of your device
Researchers from security firm Check Point have discovered an unusual attack vector that relies on surreptitiously inserting malware in subtitle files to perform cyberattacks. The list of affected media players so far includes popular apps like VLC, Kodi, Popcorn Time and Stremio.
According to their findings, the security experts estimate there are approximately 200 million streamers running iterations of the vulnerable software, making this “one of the most widespread” attacks in recent memory.
Check Point has since recorded a demonstration to show how the remote code execution takes place in Popcorn Time and Kodi. Watch the footage below:
What makes the infection vector particularly compelling is that many of the affected media players and users treat subtitle repositories as a “trusted source.”
In addition, Check Point warns that anti-virus software and similar security alternatives often interpret subtitles as “benign text files” and vet them without trying to carefully assess their nature.
“The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities,” the blog post reads. “[T]his results in numerous distinct vulnerabilities.”
Check Point has since informed the most prominent affected media clients. Unfortunately, while some issues have already been eliminated, others are yet to be patched. For this reason, the security firm has decided not to reveal any further technical details to prevent further attacks.
Until then: Better steer clear of popular subtitle repositories – it might save you a lot of hassle.
Visit the Check Point blog here to read the full bug report.
Get the TNW newsletter
Get the most important tech news in your inbox each week.