Major security vulnerabilities have been found in several popular media players – including Kodi, PopcornTime, Streamio, and VLC – have been uncovered in new research released by Check Point. Around 200 million users could potentially be at risk.
As the attack vector goes, attackers can create malicious subtitle files containing code set to run once the file is loaded. Once the infected code hits the device, attackers can step in and gain control of the system. This is a device-independent vulnerability, meaning that it can be exploited and manipulated to takeover anything from a smart-TV to a PC, or a mobile device.
The research demonstrated the risk by uploading a malicious subtitle file to OpenSubtitles.org and then tricked the site’s ranking algorithm to ensure that the malicious file would be downloaded automatically. Additionally, there is a wide array of subtitle formats which may be infected, each with unique features for better user experience. And while users may not necessary use subtitles, it’s important to note that some of these media players automatically download subtitles for whatever you are watching either through plugins or simply by default.
Kodi and Stremio have since fixed the vulnerability, and an unofficial fixed-build of Popcorn Time is also available. VLC for desktop has also been fixed, however it seems that VLC for Android hasn’t been updated in the Play Store since August 2016. There is no set proof that this attack has yet been used in the wild (yet), however now that this research has been released, going forth and downloading the patch has never been as crucial.
As more of these high profile vulnerabilities are being discovered, it’s important to realize that such vulnerabilities could be avoided in the first place simply by performing a source code scan to detect and remediate vulnerabilities on the spot. By using CxSAST, you have the power to eliminate vulnerabilities right during the coding process. To see if CxSAST is the solution that your code needs, click here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.