Image source: VLC

On Tuesday, security research firm Checkpoint announced that its team had discovered a new vulnerability in numerous media players that allows a hacker to take full control of any device when a malicious subtitle file is used. The firm estimates 200 million people are potentially at risk.


From Checkpoint’s alert:

Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous. Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files.


To be clear, if you’re using a media player to watch a legitimate copy of a film that already has subtitles, you’re probably just fine. But if for any reason you visited one of the numerous websites that allow you to download subtitles for movies in various languages, you could be at risk. People download these files for many reasons, not just for the purposes of piracy. There’s a thriving community of people that translate film dialogue for the good of everyone but, unfortunately, there could be some bad actors out there.

Here are the media players that are affected and how to update them:

PopcornTime – Created a Fixed version, however, it is not yet available to download on the official website. The fixed version can be manually downloaded here. Kodi – Created a fix version, which is currently only available as source code release. This version is not yet available to download in the official site. Link to the source code fix is available here. VLC – Officially fixed and available to download on their website Stremio – Officially Fixed and available to download on their website

The researchers also discovered that it’s extremely easy to manipulate the algorithm of a site like OpenSubtitles.org in order to guarantee that a malicious file would make it to the top of the search results.

Get to updating.

Here’s a video demonstration of the vulnerability in action:

[Checkpoint via The Hacker News]