Software like Kodi and VLC is vulnerable to hack via malicious subtitles

Security researchers say it is possible to completely take control of devices with media player software like Kodi, VLC, Popcorn Time and Stremio. They do this using subtitles that contain malicious code.

The Check Point researchers have published their findings in a blog and demonstrate in a video how they can completely take over computers running Kodi or Popcorn Time with a malicious subtitle file. In the case of Popcorn Time, the subtitle is downloaded automatically, with Kodi a user can get the infected subtitles via, for example, OpenSubtitles.org. The researchers claim that they can manipulate the algorithm of such websites so that their malicious subtitle appears high in search results.

According to the researchers, the media players are vulnerable because more than 25 different subtitle file formats are in use, each with unique features and capabilities. Because the software has to be able to handle all those files, there is a large amount of vulnerabilities. The researchers are not disclosing technical details, because they want to give makers of media player software the chance to fix the vulnerabilities.

Kodi, VLC, Popcorn Time and Stremio are the platforms on which the researchers tested their hack, but they expect many other media players to be vulnerable as well. The aforementioned parties have been informed in advance and have already partially solved the vulnerabilities, according to Check Point, while further research is being done. VLC and Stremio have already released updates to their software to fix the vulnerability. The team behind Kodi tells TorrentFreak that version 17.2 of Kodi will be released this week, which addresses the vulnerability.

Update 21:07: Kodi has already released version 17.2.