Subtitles Present New Opportunity for Remote Code Execution Across 200 Million Streaming Players

May 25, 2017 @ 2:36 PM
| |
2 min read

“Attack Of The Subtitles” may sound like the name of a particularly geeky horror film, but researchers say it’s an actual threat whereby cybercriminals could perform remote code execution and take over entire systems.

Two Thumbs Down

Check Point Security disclosed the vulnerability, which may be running in more than 200 million streaming platforms and video players. The researchers said all it takes is downloading a malicious subtitle text file for cybercriminals to perform remote code execution. They can then launch distributed denial-of-service (DDoS) attacks, steal information or install ransomware, among other things.

The subtitle files in question are usually contained in repositories such as, where users specifically select them. That means potential victims have essentially opted in to download the malware, Threatpost explained.

Unfortunately, the lack of standardization in the way subtitle files are parsed means remote code execution flaws are incredibly common. Malicious actors could manipulate the ranking algorithm in the repositories to make sure the malicious subtitle files were seen as the most popular choice.

A New Avenue for Remote Code Execution

Forbes pointed out that while the use of subtitles may be somewhat novel, media players make sense as a possible attack vector given how prevalent they are. Smart TVs in particular may become targets for cybercriminals, offering an easy way to spy or collect information while users are innocently enjoying their favorite movies or television shows.

For the moment, there is no evidence that the remote code execution flaws via subtitles are being exploited in the wild. TechCrunch reported that most of the players at risk — including VLC, Popcorn Time, Kodi and Stremio — have released fixes or are being automatically patched. A demo clip of how the attack works, called “Hacked In Translation,” is also circulating on YouTube and can educate people about the potential dangers.

Even with the risk of remote code execution, streaming video isn’t about to die off anytime soon. Digital Trends said the real lesson here is that the simplest pieces of technology we take for granted — like subtitles — are the very thing cybercriminals might turn to their advantage. That’s why the ongoing story of IT security is so gripping: Just when you least expect it, there’s always a plot twist.

Shane Schick
Writer & Editor
Shane Schick is a contributor for SecurityIntelligence.