Hacked in Translation -- from Subtitles to Complete Takeover
Omri Herscovici, Omer Gull
TL;DR
This work identifies a new threat model where automatically downloaded subtitles can be weaponized to compromise devices running popular streaming platforms. By analyzing PopcornTime, OpenSubtitles, KODI, Stremio, and VLC, it demonstrates how subtitle APIs, repository trust, and parsing and extraction vulnerabilities enable remote code execution with little to no user interaction. The authors show practical attack chains, including ranking manipulation, API abuse, fuzzing-driven memory corruption, and plugin/socket-level exploits, culminating in full system control. The findings underscore the need to reassess subtitle data trust and to harden parsing, download, and extraction workflows to mitigate large-scale risk.
Abstract
Check Point researchers revealed a new attack vector which threatens millions of users worldwide - attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim's media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years. Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are automatically loaded from online repositories by the user's media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker's malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous. Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files. This means users, Anti-Virus software, and other security solutions vet them without trying to assess their real nature, leaving millions of users exposed to this risk.