May 25, 2017 By Shane Schick 2 min read

“Attack Of The Subtitles” may sound like the name of a particularly geeky horror film, but researchers say it’s an actual threat whereby cybercriminals could perform remote code execution and take over entire systems.

Two Thumbs Down

Check Point Security disclosed the vulnerability, which may be running in more than 200 million streaming platforms and video players. The researchers said all it takes is downloading a malicious subtitle text file for cybercriminals to perform remote code execution. They can then launch distributed denial-of-service (DDoS) attacks, steal information or install ransomware, among other things.

The subtitle files in question are usually contained in repositories such as OpenSubtitles.org, where users specifically select them. That means potential victims have essentially opted in to download the malware, Threatpost explained.

Unfortunately, the lack of standardization in the way subtitle files are parsed means remote code execution flaws are incredibly common. Malicious actors could manipulate the ranking algorithm in the repositories to make sure the malicious subtitle files were seen as the most popular choice.

A New Avenue for Remote Code Execution

Forbes pointed out that while the use of subtitles may be somewhat novel, media players make sense as a possible attack vector given how prevalent they are. Smart TVs in particular may become targets for cybercriminals, offering an easy way to spy or collect information while users are innocently enjoying their favorite movies or television shows.

For the moment, there is no evidence that the remote code execution flaws via subtitles are being exploited in the wild. TechCrunch reported that most of the players at risk — including VLC, Popcorn Time, Kodi and Stremio — have released fixes or are being automatically patched. A demo clip of how the attack works, called “Hacked In Translation,” is also circulating on YouTube and can educate people about the potential dangers.

Even with the risk of remote code execution, streaming video isn’t about to die off anytime soon. Digital Trends said the real lesson here is that the simplest pieces of technology we take for granted — like subtitles — are the very thing cybercriminals might turn to their advantage. That’s why the ongoing story of IT security is so gripping: Just when you least expect it, there’s always a plot twist.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today