Online streaming is booming, and applications such as Kodi, Popcorn Time and VLC have millions of daily users.

Some of these use pirated videos, often in combination with subtitles provided by third-party repositories.

While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users.

Researchers from Check Point, who uncovered the problem, describe the subtitle ‘attack vector’ as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,” they write.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In a demonstration video, using Popcorn Time, the researchers show how easy it is to compromise the system of a potential victim.

A demo of the subtitles vulnerability


XBMC Foundation’s Project lead Martijn Kaijser informs TorrentFreak that the Kodi team is aware of the situation, which they will address soon. “We will release 17.2 which will have the fix this week,” he told us.

VLC’s VideoLAN addressed the issue as well, and doesn’t expect that it is still exploitable.

“The VLC bug is not exploitable. The first big issue was fixed in 2.2.5. There are 2 other small issues, that will be fixed in 2.2.6,” VideoLAN informed us.

The team behind PopcornTime.sh applied a fix several months ago after the researchers approached them, TorrentFreak is informed. The Popcorn Time team trusts their subtitle provider OpenSubtitles but says that it now sanitizes malicious subtitle files, also those that are added by users.

The same applies to the Butter project, which is closely related to Popcorn Time. Butter was not contacted by Check Point but their fix is visible in a GitHub commit from February.

“None of the Butter Project developers were contacted by the research group. We’d love to have them talk to us if our code is still vulnerable. To the extent of our research it is not, but we’d like the ‘responsible disclosure’ terms to actually mean something,” The Butter project informs TorrentFreak.

Finally, another fork Popcorn-Time.to, also informed us that they are not affected by the reported vulnerability.

The Check Point researchers expect that other applications may also be affected. They do not disclose any technical details at this point, nor do they state which of the applications successfully addressed the vulnerability.

“Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point,” the researchers state.

More updates will be added if more information becomes available. For now, however, people who regularly use subtitle files should remain vigilant.

Check Point researchers contacted the developers of the affected media players in April 2017. Thankfully, the security patches have been released.

In the case of VLC, the attacker can leverage memory corruption bug. The media player had four vulnerabilities (CVE-2017-8310, CVE-2017-8311, CVE-2017-8312 and CVE-2017-8313) which have been fixed by VideoLan.

A fix for VLC is available as the latest version 2.2.5.1 which is present on the VideoLan’s website. The same is the case of Stremio.

The developers of Popcorn Time and Kodi have created a fix, but it’s not released for public yet. For Popcorn Time, you can download the fix manually using this link provided by the researchers. Head over to GitHub where you can find a source code fix for XBMC Kodi.

Will Jarvis be affected as well?

Will Jarvis be affected as well?

I believed if the infected sub-title are injected with the code you will be a target.  NO matter what version you used. Unless there's a patch to block the code.

Better to used VPN at the moment.

Most important now is to Clear the sub-title downloaded cache.

Safest way are to download the subtitle manually.

I used to download it manually last time because sometime the audio and title sync is way out.

https://subtitle.udownloadrooz.xyz/

Wrong again bro... Safest way is to UPDATE to the latest versions of the media players that have the fixes included.. Why? Cuz the malicious folks can manipulate the ranking algorithms on the various subs downloading sites, faking their way to the top and into trusted status, which once downloaded (automatically or manually) and ran using an "unfixed" media player, playing the video WILL trigger the exploit and compromise the system.

For sure it the apps will be updated lor. LOL

That's my personal precaution. LOL

So what about the old device. they abandoning them at the moment. I also created my own Kodi 17.2.ipa for my ipad. 

Personal protection is good.. Check out my reply in Kodi thread.. 

As for older devices and or versions.. There will be no official support provided. They simply do not have the manpower to carry on developing for older/legacy systems. As with Kodi V17 and android versions running OS versions lower than Lollipop.. Nothing.. Left at the mercy of the likes of Koying's SPMC.. which IMO is better than the official V16.1, at least on Android.

I think you have never try open a srt files before. have a look with notepad. 

Why yes I have.. Have you stopped to manually scroll through each and every line?....i used to, back then when I ran such on my PC.. Now, there's a dedicated media box and nothing personal is on it.. So they can have a go at it.. Network is frequently monitored for unusual traffic.. Work related.. 

Oh poor innocent fella.. There are txt, pdfs or docx or jpg files which when opened, do open as "intended"... and yet, a bunch of things are happening ever so silently in the background... Bruh, I would know.. I wear a white hat. 

This is a serious matter.

Updated my VLC player to the latest version because I always download subs manually.

Yes, loopholes are either found by the good or bad guys.. We hope they are found by the good guys and a fix is implemented before the loophole is exploited. That's the ideal scenario. Now, there have been many cases where the bad guys have a good time (could be years in a couple instances) till a patch comes out.. That isn't going to stop anytime soon, if ever. So we'll cross said bridge when we get there. For now, there's a fix freely available.. Those who can? It'd be unwise not to use. For those who can't  ..

Another common misconception... That cuz running Android equals being 100% vulnerable to attacks.. I've been with Android since its early "Donut" & "Eclair" days and nine devices till date, not once have I ever been hit by a virus or malware.. not even among those in my circles.. Back when I got my HTC HD2, I tossed the WM OS out and replaced it with Android, booting off not NAND, but an SD card.. Ah memories..
I trust the Android OS and its ecosystem.. Why? The power of open source and its community.. I'd choose hundreds of thousands of eyes combing through the source code each day over those under Apple's control. Are there more malware/viruses written for Android than its walled counterpart iOS? Yes, simply because its more rewarding.. Cuz duh! Why write a malicious file for a less popular OS when the undisputed King is right there.. Same applies to the Windows OS. However (and this is a huge one), this does not in any way mean that iOS isn't impregnable, and it's very dangerous for such users to assume that it is..

I believe we've gone off topic for a bit.. Perhaps continue in the other thread you created.. 

Edit: Here are some bubble busters... 
Fake Bitcoin Apps Emerge in Apple iTunes App Store.
Apple Lists Top 25 Apps Compromised by XcodeGhost Malware.
Apple Squashes App That Warned When Your iPhone Was Hacked.
Then there's jailbreaking.. Which isn't a default action majority of iOS users will take..

I don't use VLC but I'm curious why they didn't mention MX-player?
Is good that you have so much confident with android. So do you buy anything in playstore using your credit card? Did you used that account for all your android devices and not using a fake account for normal usage? Why not?

As for my concerned on android platform we don't need to talk about history. We just have to patched a loophole.

I wonder you read the case whereby the FBI wanted to read the iPhone data from a terrorist? They go into court for that purposes but apple rejected and they ended up paying hundreds of thousand for a security firm to break into the phone. As for JB. it is the end user who select the risk. It is well known the risk it can causes or else you don't JB.

I use VLC & Kodi on the PC... I do have MX Player installed on the Media box but very rarely use it.. In fact, it's Kodi about 98% of the time. Not sure why MX Player wasn't mentioned.. Can't be because it's not popular enough.. Perhaps they too are working on the fix or have already patched it and none the wiser? 

There are two parts to the 2nd question...
1. My phone and tablet are more for official than leisure purposes.. This get the official gmail account and card for purchases.. Now, it's even better as I use mobile networks allow charging to one's account and pay later. So card option has been taken off.  .Apps are purchased from the Play Store or downloaded from the likes of F-Droid, which is a completely free and open source Android app repository... If I have to install Third-party apps outside these sources, I get it directly from the source and at most, those are 2 or 3.. Proprietary apps come to mind..

2. The fiery pit: Exclusively for media consumption on the big screen-box thingy in the living room.. This guy gets nothing personal on it. Not even a personal Dropbox account  .. Has all sorts of hackery & patches & questionable apps installed and uninstalled.. Nothing ever gets purchased on it. I don't even expose my Netflix account to it, that is run exclusively via the isolated Smart TV app. I wouldn't consider the gmail account as a fake account... Just another for TV only account email... You know like how people have work and personal email accounts.. 

The world's most secure smartphones are running the Android OS.. Not iOS/Blackberry OS/Firefox's, etc... Android's... Do check them out when you have some time..;
*Silent Circle's Blackphone 2 and
*Blackberry's PRIV

Yes, I did follow that case and here's what happened.. If you think the US government or that of other countries, didn't prior to that time have the means to break into Apple's devices.. Well, I'll ask you to go back to what made Edward Snowden do what he did and why he remains a wanted person till date. World government officials have tremendous cash and human resources at their disposal and at the top of each and every one of their lists, National security ranks the highest.. To the average consumer, Apple can claim that theirs is the most protected OS.. But we in the system know fully well that the more sheltered an OS is, the less secure it often is.. That's just a basic security fact... If mere "mortals" can jailbreak every single major iOS version in the past.. Ask the Chinese authorities if they don't already have a backdoor into the latest iOS firmware and watch their response..  biggrin.gif

Sorry, does this means kodi 17= Krypton?
Jarvis will be vulnerable?

Yes.

You see! that's the thing. We will take precaution not to exposed our official account in the Android box setup because that's a risk and used a fake account instead (meaning the account has nothing. NO credit detail, purchased, contact, email sync etc........) . But these has become a failure of the android system structure compared with Apple. I have no concerned about using my apple ID with my apple TV. Whatever songs, movies, apps, games that I bought or free download from itune over the years are shared with all my apple devices and family. I have no concern if I lost or damaged any of these devices because once I replace with another apple device unit and key in my apple ID. everything will be restore back exactly as the last back-up.

I'm not trying to say apple are much better. Just that I have more confident using it. The latest loophole in Android we patched are very much like Teamviewer without end user knowledge. it not only affected the android TV boxes but all devices that installed Kodi, popcorn, VLC etc....... Is very dangerous.

These are very hard to predict. It happen to Iran before. Whereby their Nuclear reactor hardware were sabotage and control by CIA. Is possible..... anything can happen but if that happen. Not only apple product. whatever product that came out from these country are at risk. LOL

Best is to go back to stone age. hahahaaaa 

As for Edward Snowden. No matter how you see the case. He is a traitor. If that happen to any Country, that country will label him as traitor for sure.

You see that's the problems. Those User still using these older devices felt betray. Android and KODI abandon them letting them at risk. I can accept if they don't update the apps for future feature but for security risk? A NO NO!

These people will have to trust whoever come out with a patch and who can verify that the patch are safe that is not coming out from the official side?

The only thing left are to used these Android TV box wisely. Take whatever precaution you think is the best for you. Used wisely and smart BUT used at your own risk.

Bottom link. Even I have patched and update to the latest apk. I'll take extra precaution!
Cheers!