VLC users at risk of viruses hidden in subtitles
Viruses could be hidden in online video subtitles and used to hijack viewers’ computers, security experts have warned.
The security risk, spotted by cyber security firm Check Point has been found to affect the VLC, Kodi, Popcorn Time and Stremio online media players. However, the researchers say it could affect other players, too.
If downloaded, malicious subtitles could be used to take control of a range of devices including smartphones and smart TVs.
Once hackers have control of a device they can install ransomware or steal sensitive information including bank details and passwords.
"We have discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds," said Omri Herscovici, vulnerability research team leader at Check Point.
An infographic shows how hacker can hijack a device using the malicious subtitles
Subtitles for film and TV programmes are created by a wide range of freelance writers and uploaded to shared online holding pens where they’re indexed and ranked. The Check Point researchers showed that hackers can manipulate these repositories’ ranking algorithms so that malicious subtitles are automatically downloaded by the media players.
"The supply chain for subtitles is complex, with more than 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers," explained Herscovici.