Enjoy watching foreign films? We have some bad news.
Security researchers have discovered a new attack vector that could allow online miscreants to gain access to your PC, mobile device and smart TV: malicious subtitles. Researchers from security firm Check Point said “hundreds of millions” of devices running VLC, Kodi, Popcorn Time and Stremio — four of the most popular media players out there — are at risk.
“Malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds,” Check Point vulnerability research team leader Omri Herscovici said in a statement.
He went on to say that the subtitle supply chain is “complex,” with more than 25 different formats in use, all with unique features. “This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers,” Herscovici said.
Subtitles for films and TV shows are created by “a wide range of subtitle writers,” who upload them to shared online repositories such as OpenSubtites.org, where…