VLC & Kodi Subtitle Vulnerability Could Give Hackers Control Of 200M Devices

A vulnerability in how subtitles are delivered to several popular media players could allow an attacker to gain complete control of an affected device simply by creating a dodgy file.

VLC and Kodi are two of the programs cited by researchers at CheckPoint, which estimates as many as 200 million PCs, Android smartphones and smart TVs are affected.

It said that part of the danger was that subtitle files, often downloaded from free repositories, are seen as benign text files that couldn’t possibly be malicious. Compounding this fact is that there are more than 25 different subtitle file types to be exploited.

Subtitle vulnerability

“By conducting attacks through subtitles, hackers can take complete control over any device running them,” said the researchers. “From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In theory an attacker could upload a malicious file and then manipulate the ranking algorithm used by many repositories such as OpenSubtitles.org. Given that some programs automatically download the highest ranked subtitle file available and manual users use these to pick their own downloads, the scale is potentially huge.

VLC has been officially fixed, while Kodi has issued a patch via a source code release rather than an official release. CheckPoint says it has withheld technical details until a later date to allow other affected software to be patched.

Quiz: What do you know about cybersecurity in 2017?

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

Ofcom Grants License For Amazon Kuiper To Challenge Starlink In UK

New challenger for Elon Musk's Starlink in UK, after Ofcom grants earth station network licence…

3 hours ago

Openreach Tests 50Gbps Broadband Connection With Nokia

Possible broadband speed of the future? Openreach and Nokia test UK’s first live 50Gbps fibre…

4 hours ago

Jeff Bezos’s $10bn Earth Fund Halts Climate Group Backing – Report

Amazon founder and one of the world’s richest men, Jeff Bezos, has been accused of…

5 hours ago

DeepSeek Sends Data To Blacklisted China Mobile – Report

Researchers at Feroot Security undercover DeepSeek code that transfers data to servers under control of…

20 hours ago