What You Need To Know: Security Vulnerabilities Found in Major Media Players

Major security vulnerabilities have been found in several popular media players – including Kodi, PopcornTime, Streamio, and VLC – have been uncovered in new research released by Check Point. Around 200 million users could potentially be at risk.



As the attack vector goes, attackers can create malicious subtitle files containing code set to run once the file is loaded. Once the infected code hits the device, attackers can step in and gain control of the system. This is a device-independent vulnerability, meaning that it can be exploited and manipulated to takeover anything from a smart-TV to a PC, or a mobile device.


The research demonstrated the risk by uploading a malicious subtitle file to OpenSubtitles.org and then tricked the site’s ranking algorithm to ensure that the malicious file would be downloaded automatically. Additionally, there is a wide array of subtitle formats which may be infected, each with unique features for better user experience. And while users may not necessary use subtitles, it’s important to note that some of these media players automatically download subtitles for whatever you are watching either through plugins or simply by default.


Hacked in Translation | Image Source – Check Point

Kodi and Stremio have since fixed the vulnerability, and an unofficial fixed-build of Popcorn Time is also available. VLC for desktop has also been fixed, however it seems that VLC for Android hasn’t been updated in the Play Store since August 2016. There is no set proof that this attack has yet been used in the wild (yet), however now that this research has been released, going forth and downloading the patch has never been as crucial.


As more of these high profile vulnerabilities are being discovered, it’s important to realize that such vulnerabilities could be avoided in the first place simply by performing a source code scan to detect and remediate vulnerabilities on the spot. By using CxSAST, you have the power to eliminate vulnerabilities right during the coding process. To see if CxSAST is the solution that your code needs, click here.

The following two tabs change content below.

Arden Rubens

Social Media Manager & Content Writer at Checkmarx
Arden is the social media manager and a content writer at Checkmarx. Her blogs focus on cyber security trends and the latest developments in the world of AppSec. She aims to educate and inspire developers, security professionals, and organizations to find the best defense against online threats.

Jump to Category