What’s worse than a security vulnerability in a widely-used program? A security vulnerability in several widely-used programs. Researchers from Check Point Software Technologies have uncovered a flaw in a handful of media players (including VLC, Kodi, Stremio, and PopcornTime) that allows hackers to run executable code through subtitle files.
Check Point did not reveal details about how the vulnerability works, to protect users and allow developers to fix the issue. Essentially, hackers can create malicious subtitle files containing executable code, which runs when the file is loaded. Check out the below video of the vulnerability in action on PopcornTime:
The real problem is that some media players, either by default or through optional plugins, can automatically download subtitles for whatever you are watching. Researchers were able to prove that by uploading a malicious subtitle file to OpenSubtitles.org, and manipulating the site’s ranking algorithm, they could guarantee the infected file would be automatically downloaded by the media player.
VLC, Kodi, and Stremio have fixed the vulnerability (with an unofficial build of PopcornTime available with the fix). However, VLC for Android doesn’t seem to be patched, as it was last updated on the Play Store in August. Thankfully, Kodi for Android has been fixed, and the updated version is available right now on the Play Store.