Apparently, even your movie’s subtitles could be out to get you. Researchers at California-based IT security firm Check Point have discovered a new flaw that allows hackers to take complete control over any device via third-party subtitle files.
Subtitles Aren’t Always Just Plain Text
Foreign-language movies and TV episodes downloaded via BitTorrent or through informal streaming services are often packaged with subtitle files that can be read by popular mainstream video players like VLC, Kodi, or PopcornTime. In the majority of cases, these files are just plain old text along with some time stamps that tell the video player when to display each line.
Check Point discovered that because of the innocuous nature of the files, users and anti-virus programs alike tend to ignore the fact that they could contain something other than a language translation. Hackers could package arbitrary code within the file that gets run by the video player software, thus turning over control of the victim’s machine.
Subtitle Websites Need to Be Secured
Some video players, in an attempt to be helpful, will search, download, and run subtitle files automatically when the user asks for them. While obviously convenient, this automated feature is problematic because it assumes that all the subtitle data is coming from a trusted source.
Unfortunately, directories such as OpenSubtitles.org are simply collections of user-contributed content, and have few resources with which to manually curate each file. Instead, they rely on the users themselves to up-vote good subtitles and down-vote or flag the bad ones.
Check Point researchers found that it was easy to manipulate the up-votes for a subtitle file, making it appear as if it was the best available version for a particular movie. Once it was at the top of the list, any video player that was looking for a subtitle would immediately select it, and most users would probably do the same.
At press time, four major video players – VLC, PopcornTime, Kodi, and Stremio — had all published updated versions of their software that plugged the security flaw.
Do you see this as a major threat? Let us know in the comments.
Image via YouTube, VLC