VLC & Kodi Subtitle Vulnerability Could Give Hackers Control Of 200M Devices

A vulnerability in how subtitles are delivered to several popular media players could allow an attacker to gain complete control of an affected device simply by creating a dodgy file.

VLC and Kodi are two of the programs cited by researchers at CheckPoint, which estimates as many as 200 million PCs, Android smartphones and smart TVs are affected.

It said that part of the danger was that subtitle files, often downloaded from free repositories, are seen as benign text files that couldn’t possibly be malicious. Compounding this fact is that there are more than 25 different subtitle file types to be exploited.

Subtitle vulnerability

“By conducting attacks through subtitles, hackers can take complete control over any device running them,” said the researchers. “From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In theory an attacker could upload a malicious file and then manipulate the ranking algorithm used by many repositories such as OpenSubtitles.org. Given that some programs automatically download the highest ranked subtitle file available and manual users use these to pick their own downloads, the scale is potentially huge.

VLC has been officially fixed, while Kodi has issued a patch via a source code release rather than an official release. CheckPoint says it has withheld technical details until a later date to allow other affected software to be patched.

Quiz: What do you know about cybersecurity in 2017?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago