VLC, Kodi and Popcorn Time Vulnerable to Malicious Subtitle Attack

We are living a rather dark time in computer security. After the latest ransomware “WannaCry” spread across the world, it looks like you can not trust a subtitle file anymore. Check Point researchers have announced a new and surprising form of attack that can leave exposed millions of users around the world, subtitles. Yes, subtitles.

Basically, when playing a video using multimedia players such as VLC, Kodi, Popcorn Time or Stremio and uploading subtitles, the hacker can access your device and control it remotely. The antivirus is not able to detect the vulnerability, since they detect the subtitles as a normal text file.

Depending on the media player, this subtitles are either uploaded manually or automatically. Kodi and Popcorn Time automatically downloads subtitle files. Once you play the video and run the subtitle file at the same time, your device is infected. Be it a computer, smart TV, tablet or mobile.

Subtitle repositories are considered, in practice, as a reliable source by the user or the player. However, research shows that they can be manipulated to get a subtitle file to reach the highest score so that it is served to the user. Even in applications that obtain subtitles automatically from the Internet it may be possible to build attacks without user interaction.

The problem lies in the large number of subtitle formats. Currently there are over 25 different subtitle formats, each with its own characteristics. The need to handle multiple formats ultimately involves different vulnerabilities.

Check Point confirmed the existence of vulnerabilities in VLC, Kodi, Popcorn Time and Stremio. Although they believe that other media players can also have similar bugs. They also claim that some of the problems have been corrected, but there are still some under investigation. To allow developers to correct all vulnerabilities have not offered more technical details.

Solution: Upgrade now

The simplest and immediate solution is to upgrade to the latest version.

  • Popcorn Time already offers an updated version. However they have not applied all the patches, these will appear in version 0.3.11. Upgrade as soon as it becomes available. Other related projects, such as Butter, seem to have solved the problem in February. If you use a version other than Popcorntime.sh you should proceed with caution.
  • VLC repaired the main vulnerability in the latest version, and say that the bug is no longer exploitable. However there are two small unresolved issues for which you will have to wait for version 2.2.6 to be released soon.
  • Kodi will release version 17.2 this week to fix the vulnerability. However, the source code for the corrected version is now available on GitHub.
  • Stremio provides a corrected version on its official website.

If you have not updated any of the multimedia players, do not use them until doing so, especially if you have them configured to download subtitles automatically. If you use an application that has not yet been updated, or use one that is not on the list, the best thing to do is not allow subtitles to be downloaded automatically.