Latest in Gear

Image credit:

Attackers can use video subtitles to hijack your devices

Only some media player apps have fixes for the security exploit.
Jon Fingas, @jonfingas
May 24, 2017
Share
Tweet
Share

Sponsored Links

Engadget

Be careful before you fire up media player software to play that foreign-language movie -- it might be a way for intruders to compromise your system. Check Point researchers have discovered an exploit that uses maliciously crafted subtitles to take control of your device, whether it's a PC, phone or smart TV. It's not picky about the program, either -- the researchers demonstrated the flaw in Kodi, PopcornTime, Stremio and VLC. The technique isn't particularly complicated, and relies on a tendency by developers to assume that subtitles are little more than innocuous text files.

As many media player apps download subtitles from repositories they explicitly trust, all it takes is an attacker who sneaks a malicious file into the repository in such a way that you're likely to download it. An intruder can manipulate a ratings-based subtitle system to push their file to the top, for instance. Combine that with the complexity of the subtitle world (there are over 25 formats, and each media player handles them differently) and you get a plethora of security holes.

The good news: in some cases, it's fixed. PopcornTime, Stremio and VLC all have updated versions (you can find them in the source link below). However, it's not guaranteed that your client of choice has a patch ready and waiting. Kodi only has a source code fix available as of this writing. If you're using another media player with subtitle support, you may want to be careful about using it until you know that the programmers have addressed this exploit.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

SpaceX scales back plans for Starship's first high-altitude flight

SpaceX scales back plans for Starship's first high-altitude flight

View
Windows XP source code leak sheds light on Microsoft's OS history

Windows XP source code leak sheds light on Microsoft's OS history

View
SpaceX's reused rockets will carry national security payloads for the first time

SpaceX's reused rockets will carry national security payloads for the first time

View
Netflix unveils a 'Resident Evil' CG anime series arriving in 2021

Netflix unveils a 'Resident Evil' CG anime series arriving in 2021

View
Honda's electric SUV concept is a peek at a production vehicle

Honda's electric SUV concept is a peek at a production vehicle

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr