Video Subtitle Files for Media Players Can Be Used to Take Control of Any Device: Report

Researchers have claimed that popular media players are vulnerable to malicious subtitles files that could allow attackers to take control of any type of device. The researchers estimate that roughly 200 million video players and online streamers are currently vulnerable to such an attack.

The researchers at Check Point say that the malicious subtitle files once downloaded for a media player use could help attackers "complete control over any type of device" via vulnerabilities found in many popular streaming platforms including VLC, Kodi, Popcorn-Time and strem.io.

Check Point researchers further explain, "Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user's media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker's malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous."

Unlike traditional attacks, movie subtitles is usually seen as a benign text file by the system which means antivirus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.

Once the attacker takes control of the victim's device whether it is a computer, a smart TV, or a mobile device, the potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

Check Point researchers tested and found vulnerabilities in four popular media players like VLC, Kodi, Popcorn Time and Stremio. The media players have received patches to avoid the attack by malicious subtitles, and users can download the fixes via the Check Point site.