Millions of people risk having their devices and systems compromised by malicious subtitles, Check Point researchers revealed today. The threat comes from a previously undocumented vulnerability which affects users of popular streaming software, including Kodi, Popcorn-Time, and VLC. Developers of the applications have already applied fixes or will do so soon.

Online streaming is booming, and applications such as Kodi, Popcorn Time and VLC have millions of daily users.

Some of these use pirated videos, often in combination with subtitles provided by third-party repositories.

While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users.

Researchers from Check Point, who uncovered the problem, describe the subtitle ‘attack vector’ as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,” they write.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In a demonstration video, using Popcorn Time, the researchers show how easy it is to compromise the system of a potential victim.

A demo of the subtitles vulnerability



XBMC Foundation’s Project lead Martijn Kaijser informs TorrentFreak that the Kodi team is aware of the situation, which they will address soon. “We will release 17.2 which will have the fix this week,” he told us.

VLC’s VideoLAN addressed the issue as well, and doesn’t expect that it is still exploitable.

“The VLC bug is not exploitable. The first big issue was fixed in 2.2.5. There are 2 other small issues, that will be fixed in 2.2.6,” VideoLAN informed us.

The team behind PopcornTime.sh found a fix several months ago after the researchers approached them, TorrentFreak is informed. The Popcorn Time team trusts their subtitle provider OpenSubtitles but says that it will now sanitize malicious subtitle files, also those that are added by users.

(Note: Popcorn.sh has not applied all fixes in their stable code, but that will happen later today with version 0.3.11)

The same applies to the Butter project, which is closely related to Popcorn Time. Butter was not contacted by Check Point but their fix is visible in a GitHub commit from February.

“None of the Butter Project developers were contacted by the research group. We’d love to have them talk to us if our code is still vulnerable. To the extent of our research it is not, but we’d like the ‘responsible disclosure’ terms to actually mean something,” The Butter project informs TorrentFreak.

The Check Point researchers expect that other applications may also be affected. They do not disclose any technical details at this point, nor do they state which of the applications successfully addressed the vulnerability.

“Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point,” the researchers state.

More updates will be added if more information becomes available. For now, however, people who regularly use subtitle files should remain vigilant.