Online streaming is booming, and applications such as Kodi, Popcorn Time and VLC have millions of daily users.

Some of these use pirated videos, often in combination with subtitles provided by third-party repositories.

While most subtitle makers do no harm, it appears that those with malicious intent can exploit these popular streaming applications to penetrate the devices and systems of these users.

Researchers from Check Point, who uncovered the problem, describe the subtitle ‘attack vector’ as the most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,” they write.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

In a demonstration video, using Popcorn Time, the researchers show how easy it is to compromise the system of a potential victim.

A demo of the subtitles vulnerability


XBMC Foundation’s Project lead Martijn Kaijser informs TorrentFreak that the Kodi team is aware of the situation, which they will address soon. “We will release 17.2 which will have the fix this week,” he told us.

VLC’s VideoLAN addressed the issue as well, and doesn’t expect that it is still exploitable.

“The VLC bug is not exploitable. The first big issue was fixed in 2.2.5. There are 2 other small issues, that will be fixed in 2.2.6,” VideoLAN informed us.

The team behind PopcornTime.sh applied a fix several months ago after the researchers approached them, TorrentFreak is informed. The Popcorn Time team trusts their subtitle provider OpenSubtitles but says that it now sanitizes malicious subtitle files, also those that are added by users.

The same applies to the Butter project, which is closely related to Popcorn Time. Butter was not contacted by Check Point but their fix is visible in a GitHub commit from February.

“None of the Butter Project developers were contacted by the research group. We’d love to have them talk to us if our code is still vulnerable. To the extent of our research it is not, but we’d like the ‘responsible disclosure’ terms to actually mean something,” The Butter project informs TorrentFreak.

Finally, another fork Popcorn-Time.to, also informed us that they are not affected by the reported vulnerability.

The Check Point researchers expect that other applications may also be affected. They do not disclose any technical details at this point, nor do they state which of the applications successfully addressed the vulnerability.

“Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point,” the researchers state.

More updates will be added if more information becomes available. For now, however, people who regularly use subtitle files should remain vigilant.

Will Jarvis be affected as well?

Wrong again bro... Safest way is to UPDATE to the latest versions of the media players that have the fixes included.. Why? Cuz the malicious folks can manipulate the ranking algorithms on the various subs downloading sites, faking their way to the top and into trusted status, which once downloaded (automatically or manually) and ran using an "unfixed" media player, playing the video WILL trigger the exploit and compromise the system.

Personal protection is good.. Check out my reply in Kodi thread.. 

As for older devices and or versions.. There will be no official support provided. They simply do not have the manpower to carry on developing for older/legacy systems. As with Kodi V17 and android versions running OS versions lower than Lollipop.. Nothing.. Left at the mercy of the likes of Koying's SPMC.. which IMO is better than the official V16.1, at least on Android.

Why yes I have.. Have you stopped to manually scroll through each and every line?....i used to, back then when I ran such on my PC.. Now, there's a dedicated media box and nothing personal is on it.. So they can have a go at it.. Network is frequently monitored for unusual traffic.. Work related.. 

Oh poor innocent fella.. There are txt, pdfs or docx or jpg files which when opened, do open as "intended"... and yet, a bunch of things are happening ever so silently in the background... Bruh, I would know.. I wear a white hat. 

This is a serious matter.

Updated my VLC player to the latest version because I always download subs manually.

Yes, loopholes are either found by the good or bad guys.. We hope they are found by the good guys and a fix is implemented before the loophole is exploited. That's the ideal scenario. Now, there have been many cases where the bad guys have a good time (could be years in a couple instances) till a patch comes out.. That isn't going to stop anytime soon, if ever. So we'll cross said bridge when we get there. For now, there's a fix freely available.. Those who can? It'd be unwise not to use. For those who can't  ..

Another common misconception... That cuz running Android equals being 100% vulnerable to attacks.. I've been with Android since its early "Donut" & "Eclair" days and nine devices till date, not once have I ever been hit by a virus or malware.. not even among those in my circles.. Back when I got my HTC HD2, I tossed the WM OS out and replaced it with Android, booting off not NAND, but an SD card.. Ah memories..
I trust the Android OS and its ecosystem.. Why? The power of open source and its community.. I'd choose hundreds of thousands of eyes combing through the source code each day over those under Apple's control. Are there more malware/viruses written for Android than its walled counterpart iOS? Yes, simply because its more rewarding.. Cuz duh! Why write a malicious file for a less popular OS when the undisputed King is right there.. Same applies to the Windows OS. However (and this is a huge one), this does not in any way mean that iOS isn't impregnable, and it's very dangerous for such users to assume that it is..

I believe we've gone off topic for a bit.. Perhaps continue in the other thread you created.. 

Edit: Here are some bubble busters... 
Fake Bitcoin Apps Emerge in Apple iTunes App Store.
Apple Lists Top 25 Apps Compromised by XcodeGhost Malware.
Apple Squashes App That Warned When Your iPhone Was Hacked.
Then there's jailbreaking.. Which isn't a default action majority of iOS users will take..

I use VLC & Kodi on the PC... I do have MX Player installed on the Media box but very rarely use it.. In fact, it's Kodi about 98% of the time. Not sure why MX Player wasn't mentioned.. Can't be because it's not popular enough.. Perhaps they too are working on the fix or have already patched it and none the wiser? 

There are two parts to the 2nd question...
1. My phone and tablet are more for official than leisure purposes.. This get the official gmail account and card for purchases.. Now, it's even better as I use mobile networks allow charging to one's account and pay later. So card option has been taken off.  .Apps are purchased from the Play Store or downloaded from the likes of F-Droid, which is a completely free and open source Android app repository... If I have to install Third-party apps outside these sources, I get it directly from the source and at most, those are 2 or 3.. Proprietary apps come to mind..

2. The fiery pit: Exclusively for media consumption on the big screen-box thingy in the living room.. This guy gets nothing personal on it. Not even a personal Dropbox account  .. Has all sorts of hackery & patches & questionable apps installed and uninstalled.. Nothing ever gets purchased on it. I don't even expose my Netflix account to it, that is run exclusively via the isolated Smart TV app. I wouldn't consider the gmail account as a fake account... Just another for TV only account email... You know like how people have work and personal email accounts.. 

The world's most secure smartphones are running the Android OS.. Not iOS/Blackberry OS/Firefox's, etc... Android's... Do check them out when you have some time..;
*Silent Circle's Blackphone 2 and
*Blackberry's PRIV

Yes, I did follow that case and here's what happened.. If you think the US government or that of other countries, didn't prior to that time have the means to break into Apple's devices.. Well, I'll ask you to go back to what made Edward Snowden do what he did and why he remains a wanted person till date. World government officials have tremendous cash and human resources at their disposal and at the top of each and every one of their lists, National security ranks the highest.. To the average consumer, Apple can claim that theirs is the most protected OS.. But we in the system know fully well that the more sheltered an OS is, the less secure it often is.. That's just a basic security fact... If mere "mortals" can jailbreak every single major iOS version in the past.. Ask the Chinese authorities if they don't already have a backdoor into the latest iOS firmware and watch their response..  biggrin.gif

Sorry, does this means kodi 17= Krypton?
Jarvis will be vulnerable?

Yes.

The only reason why I do not have personally identifiable information on my Android media box (Neo U1) is cuz that device is bombarded with apps that are sourced from questionable sources

Thank you for the concern on users such as myself whose having Q16 running on 4.4.2 that's not compatible with Kodi 17.3

Excellent precautions for those who are unable to get upgrade... Now you are talking.. The user takes action and not wait around pointing fingers..  .. .As for people being "stupid" to buy back-dated gadgets.. haha.. Even the iphone 7 is already back-dated.. I hang around device threads, you'll be amazed at how much "stupidity" is out there..

Okay... enjoy the prison disguised as a "secure garden"...   

Ehh.. Cut off one head and two will take its place.. Vive la révolution!
No lah.. Not useless.. First choice is upgrade, else you've got it all covered. No worries, give the community some time and the patch for Jarvis should surface.. Same like with the HTTPS V2 issue, FTMC and SPMC to the rescue...

Bro.. I'm also not eager to give up my trusty Note 3.. That's why, custom ROM, Kernel, etc.. Few months back, swapped out the battery with a new one for less than RM150.. Back to SOT of 4 hours+.. It's reborn!!  . How to swap out battery with newer devices these days all tightly sealed?  .. I sincerely hope it doesn't just die on me.. 

Really.. I sell so hard.. No poison? sads.. 

What's the device? If they are handing it out for free.. Its either a crappy device in the first place or... You are so honorable (read as wealthy) that they've made or hope to make at least RM4K off you before the year ends... In which case, they gave say 2 free Galaxy S8+ units.. My money is on the latter..

I know its the future.. but i'm no fan of having sealed batteries in mobile phones.. We've seen bad batteries swell up and do damage.. At least with a removable back cover, all i have to do is replace the offending battery. I haven't and hope not to experience such. Battery's intact and AMOLED screen remains as gorgeous as ever... *knocks on wood.

Your drone can lose its direction to my place any day.. 

Eh, HTC...  .. IMO, the HTC HD2 (2009) was the last real phone that HTC came up with.. It shipped with Windows Mobile V6.5, but due to its (at the time) beasty hardware, It was very moddable and as a result able to handle multiple OSes (Windows phone 7 & 8, Android, Windows XP, even Windows RT..) and to top it off, it can dual-boot OSes    .. Last year, someone was even able to get Android Nougat working on the HTC HD2... 
Oh I see.. Poor build quality then.. Like the Note 7 fiasco.. A smaller unpopular company would have collapsed. Well, Samsung has another chance to prove themselves as leaders. They better not screw up the Note 8 as I'm eyeing to get one for me HM...