Results 1 to 3 of 3
  1. #1
    Transparent Wall Technician crazed 9.6's Avatar
    Join Date
    Nov 2014
    Posts
    15,648
    Rep Power
    446

    Subtitle Files Can Hack Your Computer While You're Enjoying Movies

    Beware!

    Tuesday, May 23, 2017
    Mohit Kumar
    thehackernews.com

    Do you watch movies with subtitles?

    Just last night, I wanted to watch a French movie, so I searched for English subtitles and downloaded it to my computer.
    Though that film was excellent, this morning a new research from Checkpoint scared me.
    I was unaware that a little subtitle file could hand over full control of my computer to hackers, while I was enjoying the movie.

    Yes, you heard that right.

    A team of researchers at Check Point has discovered vulnerabilities in four of the most popular media player applications, which can be exploited by hackers to hijack "any type of device via vulnerabilities; whether it is a PC, a smart TV, or a mobile device" with malicious codes inserted into the subtitle files.

    "We have now discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds," he added.

    These four vulnerable media players (mentioned below) have been downloaded more than 220 million times:


    VLC — Popular VideoLAN Media Player
    Kodi (XBMC) — Open-Source Media Software
    Popcorn Time — Software to watch Movies and TV shows instantly
    Stremio — Video Streaming App for Videos, Movies, TV series and TV channels



    The vulnerabilities reside in the way various media players process subtitle files and if exploited successfully, could put hundreds of millions of users at risk of getting hacked.

    As soon as the media player parses those malicious subtitle files before displaying the actual subtitles on your screen, the hackers are granted full control of your computer or Smart TV on which you ran those files.

    Proof-of-Concept Video
    Code:
    https://www.youtube.com/watch?v=vYT_EGty_6A
    In the above video, the researchers demonstrated that how a maliciously crafted subtitle file for a movie added to Popcorn Time media player can hijack a Windows PC. On the right-hand side of the screen, an attacker, running Kali Linux, gained the remote access of the system as soon as the victim added the subtitle file.

    Since text-based subtitles for movies and TV shows are created by writers and then uploaded to Internet stores, like OpenSubtitles and SubDB, hackers could also craft malicious text files for same TV shows and movies.

    "Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction," CheckPoint researchers said.
    Hacking-media-player
    The researchers believe that similar security vulnerabilities also exist in other streaming media players.


    How to Protect Your Computer from Hackers?

    Check Point has already informed the developers of VLC, Kodi, Popcorn Time and Stremio applications about the recently discovered vulnerabilities.

    "To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point," the researchers said.

    All of them have patched the flaws, with Stremio and VLC releasing the patched versions of their software: Stremi 4.0 and VLC 2.2.5 that has been out for two weeks.

    However, Kodi developer Martijn Kaijser said the official version 17.2 release would arrive later this week, while users could get a fixed version online. A patch for Popcorn Time is also available online.

    end C/P


    Laser posted the news from Kodi and their patch fix for this exploit
    http://iptvtalk.net/showthread.php?3...security-issue
    "The illusion of freedom will continue for as long as it's profitable to continue the illusion. At the point where the illusion becomes too expensive to maintain, they will take down the scenery, move the tables and chairs out of the way, then they will pull back the curtains and you will see the brick wall at the back of the theater."
    - Frank Zappa

  2. #2
    You betta werk! expatter's Avatar
    Join Date
    Feb 2015
    Location
    left field
    Posts
    547
    Rep Power
    49

    Lightbulb

    For people that don't have the ability to upgrade to 17.3, OpenSubtitles.org states that as long as you update to their latest version of the addon, you will be okay and not hackable. They are the only service making that claim so far.

    C/P

    [!!!] Subtitles vulnerability - FIXED

    Quote

    Tue May 23, 2017 10:03 pm
    Hi all,

    THERE IS NO SUBTITLE VULNERABILITY

    maybe you read some of this article:
    Code:
    http://blog.checkpoint.com/2017/05/23/h
    ... anslation/
    Code:
    https://torrentfreak.com/malicious-subt
    ... rn-170523/
    Code:
    http://www.eweek.com/security/check-poi
    ... g-millions
    Code:
    https://www.helpnetsecurity.com/2017/05
    ... itle-hack/
    Code:
    https://gbhackers.com/200-million-downl
    ... er-attack/
    Code:
    https://www.secnews24.com/2017/05/23/ch
    ... -millions/
    Code:
    http://www.zdnet.com/article/bogus-movi
    ... searchers/
    and so on...

    and now you thinking - OMG, attackers maybe hack my computer. Nope. We take these issues seriously, so we looked into it. All the hype is caused by "200 million users...". We identified vulnerability, checked, if it was used and found out, it was used just security company CheckPoint, when they test it, nobody else used it and nobody was affected.

    Mentioned vulnerability is fixed now and there is no vulnerability even if you don't upgrade your player/media center. But of course it is better if you have latest versions of software.

    Also, we can not guarantee, if other subtitles sites fixed this problem.

    THERE IS NO SUBTITLE VULNERABILITY
    Last edited by expatter; 05-30-2017 at 09:20 AM.

  3. #3
    Ministry of Defence
    Join Date
    Oct 2016
    Location
    yes i do
    Posts
    100
    Rep Power
    17
    Good read crazed and expatter

    Cheers
    If I helped you why haven't you clicked my rep power

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •