VLC & Kodi Subtitle Vulnerability Could Give Hackers Control Of 200M Devices

A vulnerability in how subtitles are delivered to several popular media players could allow an attacker to gain complete control of an affected device simply by creating a dodgy file.

VLC and Kodi are two of the programs cited by researchers at CheckPoint, which estimates as many as 200 million PCs, Android smartphones and smart TVs are affected.

It said that part of the danger was that subtitle files, often downloaded from free repositories, are seen as benign text files that couldn’t possibly be malicious. Compounding this fact is that there are more than 25 different subtitle file types to be exploited.

Subtitle vulnerability

“By conducting attacks through subtitles, hackers can take complete control over any device running them,” said the researchers. “From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In theory an attacker could upload a malicious file and then manipulate the ranking algorithm used by many repositories such as OpenSubtitles.org. Given that some programs automatically download the highest ranked subtitle file available and manual users use these to pick their own downloads, the scale is potentially huge.

VLC has been officially fixed, while Kodi has issued a patch via a source code release rather than an official release. CheckPoint says it has withheld technical details until a later date to allow other affected software to be patched.

Quiz: What do you know about cybersecurity in 2017?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

10 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

13 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

14 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

15 hours ago