Home / News / DVRs and Media players News / Using subtitles on Kodi or VLC could get you hacked – Here's how to protect yourself

Using subtitles on Kodi or VLC could get you hacked – Here's how to protect yourself



Following a series of global cyber attacks, a security research firm has announced that using subtitles on certain media players could get you hacked.

Checkpoint announced it has found vulnerabilities in popular streaming platforms that allow hackers to take control over any type of device using malicious subtitle files.

The affected platforms include VLC, Kodi (XBMC), Popcorn-Time, and strem.io, with Checkpoint claiming around 200 million video players are currently running the vulnerable software.

Related: Best VPN

Checkpoint states in its blog post: "Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player.

These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user."

The new hacking method is said to require "little or no deliberate action on the part of the user," making it difficult to prevent and easily overlooked.

As Checkpoint adds: "Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files."

Checkpoint says this latest hacking attempt exploits the "poor state of security in the way various media players process subtitle files."

However, it should be said that watching a legitimate copy of any media with subtitles shouldn't cause an issue – the problem arises when downloading subtitle files from sites that provide translated subtitles.

While most of these files are nothing to worry about, the hackers appear to be operating through these sites, providing compromised files that appear legitimate.

Malicious actors have also found ways of ensuring their files appear at the top of search results on these sites, greatly improving their chances of getting the files successfully downloaded onto users' devices.

Luckily, it seems media player companies have taken note, providing updates to guard against the attacks. Checkpoint provided details on how to insure yourself:

PopcornTime - Created a Fixed version, however, it is not yet available to download on the official website. The fixed version can be manually downloaded here.

Kodi - Created a fix version, which is currently only available as source code release. This version is not yet available to download in the official site. Link to the source code fix is available here.

VLC - Officially fixed and available to download on their website.

Stremio - Officially Fixed and available to download on their website.

Let us know if you've been affected in the comments.

comments powered by Disqus