A group of security researchers recently discovered vulnerabilities in several popular media players. These vulnerabilities allow cyber attackers to hijack users’ computers, smart TVs and phones, when the malicious subtitles are loaded while watching movies.
Subtitles become weapons
Text-based subtitles are normally sold or distributed by translators/writers on an open-source platform like OpenSubtitles and SubDB. People who need subtitles including foreign movie lovers and the hearing impaired, can choose the best version for themselves.
, cyber attackers are able to spread their malicious payload easily.
By taking advantage of the vulnerable media players, attackers craft malicious subtitle files loaded inside the application, which automatically executes inserted code on the user’s device to take control of user’s device. Malicious subtitles can be created and delivered to millions of users automatically. These vulnerabilities in the apps are being exploited by hackers to take over any type of devices, which means your computer, smart TV, or mobile devices are all in danger.
Hackers are also manipulating the website’s ranking to make their subtitles show in the search result above other harmless subtitle files, and get the most downloads. Some streaming media players such as Popcorn Time may boost the infection by, originally designed as a user friendly feature, automatically downloading subtitles on behalf of their users.
Update now! watch movies with no worry.
Four of the most popular media players including VLC, Popcorn Time, Kodi, and Stremio, were tested/verified to be vulnerable. According to the researchers, approximately 200 million users are using vulnerable versions of these media players. However there may be more media players which (are exposed to the same risk/carry the same vulnerability), but haven’t been tested.
Now three of the four media players, VLC, Stremio, and Popcorn Time, have already released new updates to patch the flaw, yet Kodi’s fixed version 17.2 is still on its way. To avoid your precious devices being hijacked, please update your media player immediately. Do not load a subtitle file until you are 100% sure that your media player is safe.
See their statement of fixing and update here:
Popcorn Time: https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249/
VLC 2.2.5: https://www.videolan.org/vlc/releases/2.2.5.html