News, views and top stories in your inbox. Don't miss our must-read newsletter Sign up Thank you for subscribing We have more newsletters Show me See our privacy notice Invalid Email

Video streaming platforms like Kodi, VLC and Popcorn Time could be putting users at risk from malware - and it's all because of subtitles.

According to cyber security experts at Check Point Security Technologies , these media players use software to pull in subtitle files that help the user experience.

However, the subtitle files are often corrupted with malware, which the software is unable to detect, allowing hackers to infiltrate the users PC, smartphone or streaming device and wreak havoc.

(Image: Kodi)

"These subtitles repositories are, in practice, treated as a trusted source by the user or media player," the Check Point research team explained in a blog post.

"Our research also reveals that those repositories can be manipulated and be made to award the attacker's malicious subtitles a high score, which results in those specific subtitles being served to the user.

"Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files.

"This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk."

Check Point believes up to 200 MILLION people could be at risk, given the growing popularity of streaming platforms like Kodi.

(Image: Getty)

On software like Kodi and Popcorn Time, users can choose whether or not to enable subtitles, but they can't always control where the files are pulled from.

As revealed in the video above, all a hacker needs to do is load up a well-used subtitle file with malware to gain access to the victim's computer.

"The total number of the affected users is in the hundreds of millions," explains Check Point, noting that VLC alone has over 170 million downloads.

Kodi meanwhile has reached over 10 million unique users each day.

"The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats.

(Image: Getty)

"To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities. Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities."

The team said they found the vulnerabilities in four different media players: Kodi, VLC, Popcorn Time and Stream.io and has contacted the developers of each one to alert them of the issue.

All four platforms report they have fixed the subtitle issue in new versions of their software - but it's up to the users to download and update.

"When Check Point researchers uncovered this flaw they contacted us up front to less us know about this flaw," Kodi's developers said in a statement.

"Our developers fixed this secuity gap and have added the fix to this v17.2 release. As such we highly encourage all users to install this latest version!

"Any previous Kodi version will not get any security patch. We have began the roll out of this version and Android Play Store as well as Windows Store have this update pending and will roll out as soon as possible."