What's new
Welcome to PS Community

Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?

Alert! Subtitle Files Can Hack Your Computer While Watching Movies


May 17, 2017
A team of researchers at Check Point has found vulnerabilities in four of the most popular media player applications, which can be exploited by hackers to hijack any type of device whether PC, or a smart TV, or a mobile device with malicious codes put inside the subtitle files.

We have now discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds,” he said.These four vulnerable media players have been downloaded more than 300 million times:

  • VLC — Popular VideoLAN Media Player
  • Kodi (XBMC) — Open-Source Media Software
  • Popcorn Time — Software to watch Movies and TV shows instantly
  • Stremio — Video Streaming App for Videos, Movies, TV series and TV channels
The vulnerabilities stays in the way various media players process subtitle files and if successfully, hundreds of millions of users are at risk of getting hacked.

As soon as the media player parses those malicious subtitle files before displaying the actual subtitles on your screen, the hackers are granted full control of your computer or Smart TV on which you use those files.

the researchers demonstrated that how a maliciously crafted subtitle file for a movie added to Popcorn Time media player can hijack a Windows PC. On the right-hand side of the screen, an attacker, running Kali Linux, gained the remote access of the system as soon as the victim added the subtitle file.
Since text-based subtitles for movies and TV shows are created by writers and then uploaded to Internet stores, like OpenSubtitles and SubDB, hackers could also craft malicious text files for same TV shows and movies.

Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction,” CheckPoint researchers said.

How to Protect Your Computer from Hackers?
Check Point has already informed the developers of VLC, Kodi, Popcorn Time and Stremio applications about the recently discovered vulnerabilities.

To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point,” the researchers said.

All of them have patched the flaws, with Stremio and VLC releasing the patched versions of their software: Stremi 4.0 and VLC 2.2.5 that has been out for two weeks.

However, Kodi developer Martijn Kaijser said the official version 17.2 release would arrive later this week, while users could get a fixed version online. A patch for Popcorn Time is also available online.

Source: http://peartrend.com/tech-news/beware-subtitle-files-can-hack-your-computer-while-watching-movies/