Kodi
Check Point says text-based subtitles could be used to hack users of Kodi and VLC iStock, Kodi

A team of security researchers has claimed popular media players including VLC and Kodi were, until recently, putting hundreds millions of users at risk of cyberattack as hackers could use malicious subtitle files to gain "full control" over PCs, smart TVs and smartphones.

Cybercriminals could craft text files for movies and TV shows which would then be downloaded by viewers around the world. By exploiting bugs in the media players hackers could take over any device running the software, Check Point experts said this week (23 May).

The researchers uncovered vulnerabilities in four of the most popular media players: VLC, Kodi (XBMC), Popcorn Time and Stremio. Worryingly, Check Point claimed it has reason to believe that similar security flaws exist in other streaming media players.

It's certainly a fresh attack vector – a unique take on malware infection.

Typically, text-based subtitles are created by writers and then uploaded to internet stores - such as OpenSubtitles or SubDB - before being indexed and ranked based on popularity and usefulness.

But Check Point experts said they had found hackers had found a way to manipulate the online repositories' ranking algorithms to game the system.

As a result, the cybercriminals could make malicious subtitles be automatically downloaded by the media player and circumvent all user interaction, the team claimed.

Vulnerability researcher Omri Herscovici said: "The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities.

"There are multiple vulnerabilities that could be exploited, making it a hugely attractive target. We have now discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds."

He said the system is open to attack because it's highly fragmented. After the existing vulnerabilities were responsibly disclosed to the companies, all four were able to patch their software. Stremio and VLC have now released new versions incorporating the fix.

"To protect themselves and minimise the risk of possible attacks, users should ensure they update their streaming players to the latest versions," Herscovici stressed.

The use of such media players is vast. VLC is the most downloaded of the bunch with more than 170 million users around the globe. Meanwhile Kodi, the somewhat controversial streaming software, currently boasts more than 10 million unique visitors every day, Check Point said.

You can see the hack in action in the video below

Check Point Software Technologies, Ltd.