Attackers can use video subtitles to hijack your devices

Only some media player apps have fixes for the security exploit.

Updated ·1 min read

Be careful before you fire up media player software to play that foreign-language movie -- it might be a way for intruders to compromise your system. Check Point researchers have discovered an exploit that uses maliciously crafted subtitles to take control of your device, whether it's a PC, phone or smart TV. It's not picky about the program, either -- the researchers demonstrated the flaw in Kodi, PopcornTime, Stremio and VLC. The technique isn't particularly complicated, and relies on a tendency by developers to assume that subtitles are little more than innocuous text files.

As many media player apps download subtitles from repositories they explicitly trust, all it takes is an attacker who sneaks a malicious file into the repository in such a way that you're likely to download it. An intruder can manipulate a ratings-based subtitle system to push their file to the top, for instance. Combine that with the complexity of the subtitle world (there are over 25 formats, and each media player handles them differently) and you get a plethora of security holes.

The good news: in some cases, it's fixed. PopcornTime, Stremio and VLC all have updated versions (you can find them in the source link below). However, it's not guaranteed that your client of choice has a patch ready and waiting. Kodi only has a source code fix available as of this writing. If you're using another media player with subtitle support, you may want to be careful about using it until you know that the programmers have addressed this exploit.