PUT DOWN THE POPCORN and start panicking. Malicious subtitles are your latest security threat, and are coming for users of Kodi, Popcorn Time, stream.io and VLC.
Check Point has sounded the alarm bells, and has warned, thanks to vulnerabilities in the aforementioned streaming services, that around 200 million users could be at risk.
The security firm, which described the subtitle attack vector as the "most widespread, easily accessed and zero-resistance vulnerability that has been reported in recent years," explains: "Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user's media player.
"These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker's malicious subtitles a high score, which results in those specific subtitles being served to the user.
"This method requires little or no deliberate action on the part of the user, making it all the more dangerous."
The firm goes on to warn that the attack allows hackers to take complete control of any devices running them, and subsequently do whatever they want with the victim's machine, be it a smart TV, mobile device or PC.
"The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more," Check Point notes.
There is some good news, though. Both VLC and strem.io have addressed the issue and have fixed versions available to download from their respective websites. A fixed version of Popcorn-Time can be manually downloaded here, and Kodi has released a fix which is currently only available as a source code release from GitHub.
What's more, Check Point notes that watching a legitimate copy of any media with subtitles shouldn't cause an issue. Instead, the problem arises when downloading subtitle files from third-party sites that provide translated subtitles. µ
Watch this space
Hackers could erect man-in-the-middle attacks
Painted into a corner
What we'd call copying, Cupertino calls 'inspiration'