Check Point Software Technologies Ltd has revealed that its researchers have found a major attacking method in which hackers use vulnerabilities in media players which automatically download subtitles for various movies.

As such, some of the most well-known media players such as Kodi, VLC and Popcorn Time have been compromised as these players are configured to download subtitles from online subtitle repositories automatically.

So how does it work?

Check Point reported that attackers usually make use of two hacking methods to hijack a system. They either coax users into clicking a link which activates malware or they trick users into downloading a file which contains the malware.

Nevertheless, a new method has just been discovered in which an attacker can easily exploit vulnerabilities in media players and inject malware through subtitles into the systems of those who use such media players to stream online content.

The problem here is that unlike traditional malware links and files, subtitle files are simply pieces of texts written in a way that makes it impossible for security experts, anti-virus software and users to identify whether the subtitle file has actually been compromised. In such a situation, it is only after an attack has been launched that the victim discovers that their security has been compromised.

The attack is usually done by exploiting certain vulnerabilities in media files which consider online subtitle repositories as trustworthy and reliable. However, attackers can easily manipulate such repositories and make the media players download the infected media files by toggling with the repository’s configuration.

According to CheckPoint’s blog post:

Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyber attack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous. Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files.

How does a media player select a subtitle file?

The principal vulnerability lies in how a media player selects a subtitle file to download. As mentioned earlier, media players such as VLC, usually pick subtitle files automatically from online subtitle repositories which have over 25 different formats in which a subtitle file is stored.

However, in order to provide a better experience, the media players parse all of the different formats and this involves fragmented software which then gives rise to numerous flaws. It is these flaws that an attacker can exploit to launch an attack.

Furthermore, online repositories have a mechanism through which they rank different subtitle files created by various people. An attacker can manipulate the system into making his or her file rank first. Media players, on the other hand, usually select the files that have a high ranking and are therefore tricked into downloading files which have malware. Also, users who download subtitle files manually, may look for the highest-ranking file and thus get the one which has been infected.

What happens once the file is downloaded?

After you download the infected file, the perpetrator can virtually take control of your entire machine and do whatever he or she wants; they can do anything from stealing your bank details to injecting harmful malware. Till now, VLC, Popcorn Time, Kodi and Stremio have been found to be affected by the attack.

Here’s the demo

Image Credit: Shutterstock/Thodonal88