Hackers have reportedly planted malicious files in film subtitles that could then be streamed to millions of users, allowing the cyber criminals to take control of media devices.
Check Point Software Technologies said in a statement Tuesday that third-party streaming platforms like VLC, Kodi (XBMC), Popcorn-Time, and strem.io are vulnerable to the new hacks. The software security company said that hackers have figured out how to plant viruses in the subtitles of films carried on those services, which are then downloaded unsuspectingly by the victims.
"We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years," Check Point said in its statement.
"Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker's malicious subtitles a high score, which results in those specific subtitles being served to the user," the statement continued.
Forbes magazine contributor Emma Woollacott wrote that the hack only affects subtitle files from third-party sites, meaning legitimate copies should be safe. But the attack can affect any device from personal computers to smart televisions and mobile devices.
"It's delivered when movie subtitles are loaded by the user's media player — which treats them as a trusted source," Woollacott wrote for Forbes. "And the subtitle repositories can even be manipulated into giving the malicious subtitles a higher score, making them more likely to be served up to the user."
Check Point stated that the hack could lead to theft of sensitive information, the installation of ransomware, mass Denial of Service attacks, and other consequences. TechCrunch said that fixes and patches for the streaming services are now available.
© 2021 Newsmax. All rights reserved.