New hack threat may be hiding in your movie’s subtitles – CNET


A security software company warns that subtitles downloaded from websites could harbor malware.

Getty Images/Tetra images RF

Subtitles for movies you watch via Popcorn Time and similar services might spell trouble for your computer or media device, a computer security company said this week.

A newfound vulnerability could let hackers take control of your gadget through malicious code inserted into the subtitle files, according to a report from Check Point Software Technologies. The vulnerability was identified in several streaming platforms, putting more than 200 million video players and streamers at risk, Check Point said.

The threat resides at websites that film fans or media players use to download subtitles in various languages. Because these repositories are trusted by the user or device, they create an overlooked path for hacking assaults, Check Point said.

“Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files,” Check Point wrote in a blog post Tuesday. “This means users, Anti-Virus software, and other security solutions vet [the files] without trying to assess their real nature, leaving millions of users exposed to this risk.”

Check Point identified Popcorn Time, VLC, Kodi and Stremio as services affected by the vulnerability but said it believes similar problems exist in other platforms as well. VLC, Kodi and Stremio have already been fixed, and updated versions are available for download. Popcorn Time has been fixed, but the update isn’t yet available for download from the official site, Check Point said.

The maker of Kodi, however, disputes the severity of the threat.

“Checkpoint has overblown this significantly,” Keith Herrington, a representative for XMBC told CNET. “It’s rare you download a subtitle in a .zip file, and any decent subtitle website you get them from should check them for ‘weirdness’ such as this, and even if you somehow had access to the filesystem, you can’t execute code, which is what malware needs.

“Without the ability to actually execute code, it’s very, very, very difficult for anyone to do any actual damage,” Herrington said.

Representatives for Popcorn Time, VLC and Stremio didn’t immediately respond to a request for comment.

Check Point published this video as a proof of concept.

Tech Culture: From film and television to social media and games, here’s your place for the lighter side of tech.

Star Wars at 40: Join us in celebrating the many ways the Force-filled sci-fi saga has impacted our lives.

Leave a Reply

Your email address will not be published. Required fields are marked *