A fork of the popular Popcorn Time application is vulnerable to hacking attacks, a researcher says. Antonios Chariton, aka DaKnOb, says that a man-in-the-middle attacker can gain complete control of a target machine. Fortunately he also has some advice for the software's developers to help put matters right.

Almost 18 months since it burst onto the scene in 2014 and Popcorn Time is still one of the most popular file-sharing applications on the market.

Millions of people use multiple variants of the Netflix-style tool everyday, with ease of use and wide content availability proving a hit with users old and new.

Popcorn Time’s success has also made it a target for anti-piracy companies desperate to shut it down, but today the software finds itself under attack of a different kind.

Antonios Chariton, aka ‘DaKnOb’, describes himself as a Security Engineer & Researcher. Currently in Greece studying for his B.Sc. in Computer Science, Chariton informs TorrentFreak that he’s discovered some serious security vulnerabilities in at least one fork of Popcorn Time.

“There are two reasons that made me look into Popcorn Time. First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time,” Chariton says.

The researcher says that the problems begin with “a really smart” technique that Popcorn Time uses to bypass ISP-level blocking in the UK. By utilizing Cloudflare infrastructure for part of its setup, it’s difficult to block Popcorn Time by DNS without banning the Cloudflare website, Chariton notes.

But cleverness aside, this is where the problems begin.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” Chariton explains.

“The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”

As shown in the image below, Chariton says he was able to perform a “content spoofing” attack, in which he gave the movie Hot Pursuit the title of “Hello World” instead.

The researcher says that while he could’ve changed any other information in the Popcorm Time application, that wouldn’t be “exactly much fun”. So, to get pulses racing, he launched an XSS attack instead.

As shown in the image below, Cross-Site Scripting (XSS) attacks allow for potentially malicious scripts to be injected into other web applications.

“We have injected malicious JavaScript and the client application executed the code. Using this attack we can show fake messages or even do something smarter. Since the application is written in NodeJS, if you find an XSS vulnerability, you are able to control the entire application,” Chariton explains.

“This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

That’s obviously a pretty serious issue but Chariton does have some advice for the developers.

“HTTP is insecure. There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response,” he notes.

“Last but not least, just because something is Open Source doesn’t mean it’s audited and secure. Discovering and exploiting this vulnerability was literally one hour of work, including the time to write all the JavaScript payloads and come up with cool stuff to do,” Chariton concludes.

Making the situation more complex is the number of Popcorn Time forks in circulation. Chariton told us that he carried out his tests on the variant available at PopcornTime.io but it’s certainly possible that the same issues exist elsewhere on lesser-used forks.

That being said, the developers behind the variant available at Popcorn-Time.se inform TorrentFreak that their version isn’t vulnerable to these exploits.

“These security issues don’t refer to Popcorn-time.se since we built Popcorn Time from scratch in C++,” the devs explain.

“We don’t use Node Webkit which is known for having security issues, but chose the longer route of building our platform on our own from the ground up to avoid just these kind of issues.”

Chariton has raised the issue here and it’s currently under discussion.

Update: Popcorntime.io have now responded.

“This attack requires that the attacker is either inside the local network, inside the host machine, or has poisoned the DNS servers,” the team explain.

“In any case, there are far more valuable attacks than simply hitting Popcorn Time. Especially because it does not run with elevated privileges and won’t let the attacker install new programs for example.”

The team have a longer article published here.