AuthentificationCyberCrimeFirewallSecuritySecurity ManagementVirus

VLC & Kodi Subtitle Vulnerability Could Give Hackers Control Of 200M Devices

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Follow on: Google +

Security researchers warn of a subtitle vulnerability that affects VLC, Kodi and other popular media software

A vulnerability in how subtitles are delivered to several popular media players could allow an attacker to gain complete control of an affected device simply by creating a dodgy file. 

VLC and Kodi are two of the programs cited by researchers at CheckPoint, which estimates as many as 200 million PCs, Android smartphones and smart TVs are affected.

It said that part of the danger was that subtitle files, often downloaded from free repositories, are seen as benign text files that couldn’t possibly be malicious. Compounding this fact is that there are more than 25 different subtitle file types to be exploited.

VLC Media Player 1

Subtitle vulnerability

“By conducting attacks through subtitles, hackers can take complete control over any device running them,” said the researchers. “From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In theory an attacker could upload a malicious file and then manipulate the ranking algorithm used by many repositories such as OpenSubtitles.org. Given that some programs automatically download the highest ranked subtitle file available and manual users use these to pick their own downloads, the scale is potentially huge.

VLC has been officially fixed, while Kodi has issued a patch via a source code release rather than an official release. CheckPoint says it has withheld technical details until a later date to allow other affected software to be patched.

Quiz: What do you know about cybersecurity in 2017?