Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Media Players Expose Millions of Systems to Subtitle Attacks

Malicious actors could hijack millions of systems using specially crafted subtitle files that exploit vulnerabilities in some of the most popular media players, security firm Check Point warned on Tuesday.

Malicious actors could hijack millions of systems using specially crafted subtitle files that exploit vulnerabilities in some of the most popular media players, security firm Check Point warned on Tuesday.

According to experts, attackers can take complete control of a device simply by getting the targeted user to open a malicious subtitle file in one of the vulnerable media players. In the case of applications that automatically obtain subtitles from the Internet, it may be possible to conduct attacks without any user interaction.

Check Point’s analysis has focused on four popular media players, but researchers believe other applications are likely affected as well. The players confirmed to be vulnerable are VLC, the open-source home theater software Kodi (formerly known as XBMC), the video streaming app Stremio, and Popcorn Time, which streams movies and TV shows directly from torrents.

Experts pointed out that the potential number of victims for these subtitle attacks is very high considering that the latest version of VLC has been downloaded 170 million times, and Kodi reportedly has nearly 40 million unique users each month.

The developers of these media players have released patches, but some issues are still under investigation and Check Point has decided not to make public any technical details.

According to the security firm, hackers can use specially crafted subtitle files to execute arbitrary code, which can allow them to take complete control of the system.

“The attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,” Check Point’s research team said in a blog post. “The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

A video published by Check Point shows how the attack works:

While in some cases the targeted user needs to be convinced to open the malicious file with an affected player, researchers warned that attackers could also manipulate the ranking algorithm of subtitle websites to ensure that applications designed to automatically load subtitles would pick their file. By ensuring that their subtitle has a high ranking, attackers also increase the chances of users manually loading the malicious files.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.