Beware of Malicious Subtitle Files: Vulnerability in VLC, Kodi Exposed

Prayank

Technology is advancing at an inconceivable pace but every now and then a vulnerability is discovered which be turned into a potential playground by hackers who can gain access to devices by exploiting the bugs.

As the WannaCry ransomware attacks subside, researchers have found a zero-resistance vulnerability in popular media streaming platforms such as VLC, Kodi (XBMC), Popcorn-Time and strem.io.

The latest malicious codes happen to use the innocent looking subtitle text files sourced from an online repository as their weapon of choice, which is more than often overlooked by security firms due to their harmless nature.

Researchers at Check Point Security have found out a vulnerability in the aforementioned streaming software which can be exploited to gain remote access to devices carrying subtitle files with malicious codes.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV or a mobile device,” Check Point stated.

If a hacker is to exploit this vulnerability found in popular media streaming software, then they could potentially gain access to data in over 100 million devices.

VLC’s latest version has north of 170 million downloads, while Kodi is used by over 10 million unique users every day.

“The potential damage the attacker can range anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more,” Check Point adds.

The security researchers had reported the vulnerabilities to the concerned organisations maintaining the popular media streaming platforms.

While some issues have been fixed, some other bugs are still under inspection and a fix will be released soon.

VLC and Stremio have released official updates for their streaming softwares with a fix for the vulnerability but Kodi and PopcornTime still have to do so.

In the meantime, it’s recommended to steer clear of online subtitle repositories as you never know when an innocent-looking subtitle text file can turn into a tool to hold your device hostage for money.

Also See
#malware#ransomware

Join the newsletter

Prayank

Written By

Prayank

Bike enthusiast, traveller, ManUtd follower, army brat, word-smith; Delhi University, Asian College of Journalism, Cardiff University alumnus; a journalist breathing tech these days.