Check Point (world-renowned service provider of security alternatives) Researchers have revealed a brand new Internet attack that threatens millions of end users around the world: subtitling attacks.
The user’s device is infected by downloading the malicious subtitle file through the video player. Attackers can take full control of any type of device through vulnerabilities found in many popular streaming media platforms, including VLC, Kodi, Popcorn-Time, and http://strem.io. It is estimated that about 200 million video players are vulnerable to infection, making it one of the most extensive, easy-to-access and zero resistance loopholes in recent years.
New virus introduction
Less than usual conditions, hackers use the “attack vector” strategy, you’ll find two mainstream: to induce end users to go to malicious internet sites, or to induce end users to open malicious software package.
Our research reveals a completely new, wholly neglected method. When the user’s participant hundreds subtitles, it is attacked. These subtitles have extensive been regarded as trusted benign text data files. And our research demonstrates that these saved subtitles is often damaged, hackers alter the virus subtitles rating, to make sure that it could be pushed to the user quickly match. An incredible number of customers are unprepared for this, so that they tend to be more unsafe.
Various media players handle subtitle files and different subtitle formats, which are hotbeds of the virus. There are more than 25 subtitle formats, each with different features and functions. The media player needs to parse multiple subtitle formats to ensure a better user experience, and each player uses a different method. This decentralized and non-standard situation has led to many different vulnerabilities.
Range: hundreds of millions of users may be infected. Now that every vulnerable player is found to have millions of users, we have reason to believe that other media players may also receive similar attacks. VLC was released on June 5, 2016, with its latest version of more than 170 million downloads. Kodi (XBMC) has more than 10 million unique users per day, with nearly 40 million unique users per month. Popcorn has no specific data, but definitely more than a few million users.
Damage: Through a subtitle attack, an attacker can have complete control over any relevant device. Whether it is PC, smart TV, mobile devices are inevitable. Attackers can steal sensitive information, blackmail, and so on.
Which players are affected?
So far, we have tested and found the vulnerabilities in the four most famous media players: VLC, Kodi, Popcorn and Stremio. We have reason to believe that there are similar vulnerabilities in other media players.
- Popcorn Time Subtitles Remote Code Execution
- Kodi Open Subtitles Addon Remote Code Execution
- VLC ParseJSS Null Skip Subtitle Remote Code Execution
- Stremio Subtitles Remote Code Execution
How does the virus spread?
Further in-depth study of the subtitles of the supply chain, found some interesting results. There are many shared online repositories, such as: OpenSubtitles.org, for indexing and inserting movie subtitles.
Some media players automatically download subtitles; these repositories have a wide range of potential for attackers.
Our researchers can also demonstrate that we can guarantee well-designed malicious subtitles and automatically download them through the player’s ranking algorithm to achieve full control over the entire subtitle supply chain without anybody’s attack or user interaction The This vulnerability also affects which users who manually mount subtitles.
Below demonstrating how an attacker can use malicious subtitles to take over your machine: