X

New hack threat may be hiding in your movie's subtitles

Malicious code inserted into subtitle files downloaded from movie subtitle databases could be used to hijack your device, researchers warn.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
hacking-security-hackers-privacy-2895.jpg

A security software company warns that subtitles downloaded from websites could harbor malware.

James Martin/CNET

Subtitles for movies you watch via Popcorn Time and similar services might spell trouble for your computer or media device, a computer security company said this week.

A newfound vulnerability could let hackers take control of your gadget through malicious code inserted into the subtitle files, according to a report from Check Point Software Technologies. The vulnerability was identified in several streaming platforms, putting more than 200 million video players and streamers at risk, Check Point said.

The threat resides at websites that film fans or media players use to download subtitles in various languages. Because these repositories are trusted by the user or device, they create an overlooked path for hacking assaults, Check Point said.

"Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files," Check Point wrote in a blog post Tuesday. "This means users, Anti-Virus software, and other security solutions vet [the files] without trying to assess their real nature, leaving millions of users exposed to this risk."

Check Point identified Popcorn Time, VLC, Kodi and Stremio asservices affected by the vulnerability but said it believes similar problems exist in other platforms as well. VLC, Kodi and Stremio have already been fixed after being alerted to the issue by Check Point, and updated versions are available for download. Popcorn Time has been fixed, but the update isn't yet available for download from the official site, Check Point said.

The maker of Kodi, however, disputes the severity of the threat.

"Check Point has overblown this significantly," Keith Herrington, a representative for XMBC, told CNET. "It's rare you download a subtitle in a .zip file, and any decent subtitle website you get them from should check them for 'weirdness' such as this, and even if you somehow had access to the filesystem, you can't execute code, which is what malware needs.

"Without the ability to actually execute code, it's very, very, very difficult for anyone to do any actual damage," Herrington said.

Stremio confirmed it had updated its software after being contacted by Check Point, as did VLC, which added that its version 4.0 beta was unaffected by the vulnerability.

Representatives for Popcorn Time didn't respond to a request for comment.

Check Point published this video as a proof of concept.

First published May 25, 5:43 p.m. PT.
Update, May 26 at 9 a.m.: Adds comment from Stremio and VLC.

Tech Culture: From film and television to social media and games, here's your place for the lighter side of tech.

Star Wars at 40: Join us in celebrating the many ways the Force-filled sci-fi saga has impacted our lives.