Proof of concept attack leverages poor subtitle security in media players.
Proof of concept attack leverages poor subtitle security in media players.

Check Point researchers developed a proof of concept attack vector that can take over a user's device by exploiting how subtitles are loaded by the device's media player.

This attack vector leverages the unsecured way in which various media players process subtitle files and the large number of subtitle formats that are available, according to a May 23 blog post. A potential victim would have to enable the subtitles for the attack to execute. 

“These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker's malicious subtitles a high score, which results in those specific subtitles being served to the user,” the report said. “This method requires little or no deliberate action on the part of the user, making it all the more dangerous.”

Because they are considered a trusted source, anti-virus software, and other security solutions vet subtitles without trying to assess their real nature, and unlike traditional attack vectors, movie subtitles are perceived as nothing more than benign text files.

There are more than 25 subtitle formats in use which often make it necessary for media players to parse together multiple subtitle formats to provide a better user experience and to ensure coverage. This requires the use of fragmented software which creates numerous vulnerabilities.

The attack could be executed in the wild if the attacker crafted malicious subtitle files, uploaded said file to an online repository and manipulated the ranking algorithm, and then the user loaded the malicious subtitles from a trusted source, Check Point said.

“From this point on, the attacker can do whatever he wants with the victim's machine, whether it is a PC, a smart TV, or a mobile device,” researchers said in the post. “The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

Researchers spotted the flaw in four of the most prominent media players including VLC, Kodi, Popcorn Time and Stremio all of which have since released patches. The researchers also believe similar vulnerabilities exist in other media players as well