On Tuesday, Check Point researchers revealed that hackers were using movie subtitle files to carry on remote code execution attacks. It means hundreds of millions of users who use popular media players vulnerable to complete system takeovers.
The cyber security firm alerted media player developers like VLC, Kodi (XBMC), Stremio, and Popcorn Time ahead of making the huge vulnerability public. Some of them have already issued updates that fix the problem, while others are still working on a patch.
Media players are the latest platform to get hit by such a large-scale exploit, which is why WordPress’ partnered with HackerOne to prevent this kind of attacks. Microsoft recently issued an emergency update to deal with a potential threat similar in nature.
How does this new attack vector work?
Check Point makes the distinction between different ‘attack vectors’ that hackers tend to use: either they fool users into downloading malicious software or into visiting an infected website. This time, it is none of these two.
Cyber criminals have turned their heads towards the large portion of internet users who stream content outside official platforms like Netflix, Hulu, and Amazon Prime Video. The research firm estimates roughly 200 million users could have been affected so far.
These not-so-legal platforms rely on pirated content that is uploaded by users to the internet. These shows, cartoons, films, and other media are often watched by people in countries where English isn’t the native language, so naturally, they need subtitles.
Subtitles repositories like OpenSubtitles rank their files and uploaders based on ratings given by users who download them and attest their accuracy. Hackers found a way around this system to position themselves and their malicious files at the top.
Some services like Kodi (XBMC) have built-in engines to search and download subtitles straight from the player, even in the middle of a movie. They use OpenSubtitles as the default repository from which to get the files.
Popcorn Time, Stremio and others also have similar options to fetch subtitles from websites that might have been stung by hackers too. Check Point researchers say the consequences are potentially “endless” in affected terminals:
“FROM THIS POINT ON, THE ATTACKER CAN DO WHATEVER HE WANTS WITH THE VICTIM’S MACHINE, WHETHER IT’S A PC, A SMART TV OR A MOBILE DEVICE (…) RANGING ANYWHERE FROM STEALING SENSITIVE INFORMATION, INSTALLING RANSOMWARE, DDOS ATTACKS, AND MUCH MORE.”
A proof-of-concept video uploaded by the firm suggests it could take less than a minute to take over someone’s computer using any given streaming platform. Out of all the services, all reportedly have released fixed versions of their players, but Popcorn Time is holding an official update until further notice.
Source: Check Point