Security researchers have discovered an exploit found in various media players that allow hackers to use subtitles to take over computers, smartphones, and smart TVs.
Binge watchers, especially those who love to watch movies and TV shows in other languages, should be very careful in the subtitles that they download into their systems as they may carry malware.
Hackers Use Subtitles To Break Into Devices
The exploit, which was discovered by Checkpoint, is found in many popular streaming platforms, including VLC, Kodi, Popcorn Time and Strem.io. It is not dependent on the user's device, so any system that can install the media players is exposed to the attack.
Checkpoint warned that millions of users worldwide are exposed to the vulnerability, with the security firm estimating that about 200 million video players and streamers installed in devices are currently using versions that are unprotected against the hack.
According to Checkpoint, the subtitles hack is "one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years."
Hackers who aim to take advantage of the exploit create fake movie subtitles that when downloaded, dumps malware into the user's device and notifies the hacker that the system was compromised. This is possible due to Checkpoint's discovery that malformed subtitle files allow hackers to embed code into them. Subtitle files, considered harmless as simple text files, are usually trusted by both users and media players, so they were overlooked as a possible method for cybersecurity breaches.
How To Protect Yourself Against The Subtitles Hack
The subtitles hack does not affect users who watch legitimate copies of films that already come with subtitles. However, for those who downloaded subtitles for movies and TV shows, the hack becomes a significant risk.
Fortunately, there are already solutions available so that users can protect themselves from the subtitles hack. For VLC and Strem.io, the latest version available on their respective websites already fix the exploit. The fixed version of Popcorn Time is not yet available on its official website, but it can be manually downloaded through this link. Lastly, for Kodi, there is already a fixed version but it is currently only a source code release.
Update Your Media Players Now
Users who have any of these media players installed should install the fixes right away if they are available, and should stay tuned for updates to patch the problem if it is not yet available. In the meantime, it would be best to refrain from downloading subtitles, even from reputable subtitle websites. This is because hackers can use a variety of methods to make their infected file appear as the top-ranked option for subtitles for a certain TV show or movie.
In the fight against hackers, while technology companies and software creators should take the initiative in providing protection against cyberattacks, users also carry the responsibility of installing system updates as soon as they are released. The WannaCry ransomware, for example, did most of its damage on older versions of Windows, as users and companies refused or simply did not understand the point of upgrading to the most recent version of Windows for better security.