Major security vulnerabilities have been found in several popular media players – including Kodi, PopcornTime, Streamio, and VLC – have been uncovered in new research released by Check Point. Around 200 million users could potentially be at risk.
As the attack vector goes, attackers can create malicious subtitle files containing code set to run once the file is loaded. Once the infected code hits the device, attackers can step in and gain control of the system. This is a device-independent vulnerability, meaning that it can be exploited and manipulated to takeover anything from a smart-TV to a PC, or a mobile device.
The research demonstrated the risk by uploading a malicious subtitle file to OpenSubtitles.org and then tricked the site’s ranking algorithm to ensure that the malicious file would be downloaded automatically. Additionally, there is a wide array of subtitle formats which may be infected, each with unique features for better user experience. And while users may not necessary use subtitles, it’s important to note that some of these media players automatically download subtitles for whatever you are watching either through plugins or simply by default.
Kodi and Stremio have since fixed the vulnerability, and an unofficial fixed-build of Popcorn Time is also available. VLC for desktop has also been fixed, however it seems that VLC for Android hasn’t been updated in the Play Store since August 2016. There is no set proof that this attack has yet been used in the wild (yet), however now that this research has been released, going forth and downloading the patch has never been as crucial.
As more of these high profile vulnerabilities are being discovered, it’s important to realize that such vulnerabilities could be avoided in the first place simply by performing a source code scan to detect and remediate vulnerabilities on the spot. By using CxSAST, you have the power to eliminate vulnerabilities right during the coding process. To see if CxSAST is the solution that your code needs, click here.
Latest posts by Arden Rubens (see all)
- Uses CxSAST to Develop Secure Software - May 17, 2018
- CxSAST for Amazon Web Services - May 15, 2018
- Amazon’s Alexa could be tricked into snooping on users, say security researchers - May 7, 2018