Hacking using subtitles

After a WannaCry ransomware’s global cyber attack, Check Point researchers announces new cyber attack vector which is vulnerable for more than 200 million users.

They have discovered flaws in most popular media players like VLC, Kodi (XBMC), Popcorn-Time and strem.io. Using these flaws hacker can hack your  PC, mobile device or a smart TV.

Researchers revealed a new cyber attack vector, using a completely overlooked technique in which the cyber attack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are in practice treated as a trusted source by the user or media player; but research has revealed that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those malicious subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous.

Cause and effect of attack:

There are more than 25 subtitle formats in use. As media players don’t focus much on security in the process of handling subtitle files, hackers heavily rely on that. By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the hacker can do whatever they want with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the hacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.

Cyber Attack

How to Protect your system:

Check Point researchers have already informed the developers of VLC, Kodi, Popcorn-Time and Strem.io about the recently discovered vulnerabilities.

However, developers have released patched version of vulnerable media players:

VLC: http://get.videolan.org/vlc/

Kodi: https://kodi.tv/download

Popcorn-Time: https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249/

strem.io: https://www.strem.io/download/

Check Point researchers have demonstrated remote code execution using subtitles in Popcorn Time and Kodi:

So, better watch out where you download your subtitles from and update your media players as soon as possible.


  1. You made several fine points there. I did a search on the subject matter and found a good number of persons will agree with your blog.


Please enter your comment!
Please enter your name here