Hackers can use subtitles to take over millions of devices running VLC, Kodi, Popcorn Time and Stremio

[Batu69]

Check Point researchers revealed a new attack vector threatening millions of users of popular media players, including VLC, Kodi (XBMC), Popcorn Time and Stremio. By crafting malicious subtitle files for films and TV programmes, which are then downloaded by viewers, attackers can potentially take complete control of any device running the vulnerable platforms.

 

 

“The supply chain for subtitles is complex, with over 25 different subtitle formats in use, all with unique features and capabilities. This fragmented ecosystem, along with limited security, means there are multiple vulnerabilities that could be exploited, making it a hugely attractive target for attackers,” said Omri Herscovici, vulnerability research team leader at Check Point.

 

Here’s a video of the attack:

 

Hacked in Translation Demo

 

The subtitles for films or TV shows are created by a wide range of subtitle writers, and uploaded to shared online repositories, such as OpenSubtitles.org, where they are indexed and ranked. Researchers also demonstrated that by manipulating the repositories’ ranking algorithm, malicious subtitles can be automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain without user interaction.

How many users are affected?

VLC has over 170 million downloads of its latest version, released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users per month. No current estimates exist for Popcorn Time usage, but it is estimated to be tens of millions.

Check Point has reason to believe similar vulnerabilities exist in other streaming media players.

What can you do?

Since the vulnerabilities were disclosed, all four companies have fixed the reported issues. Stremio and VLC have also released new software versions incorporating this fix.

“To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions,” concluded Herscovici.

 

Article source

[JimmySvert]

This seems to be some serious threat. It's always better to do some things manually (eg downloading subs / streams from sources u trust without using third party software etc)

[IronY-Man]

thats why its better to download subs manually !!

[steven36]

It seems that when you playerz go too the website  and download the subs  Hackers are using XSS (Cross Site Scripting)  and sending you a infected sub . The patch is a xss protection for subs.

 

Links:

https://github.com/popcorn-official/popcorn-desktop/commit/a9aa8e16610ee8cb23ba4a6452c5a69bf88d9107#diff-dae321f04e3a88d56a74ff57c73c2002

https://github.com/butterproject/butter-desktop/pull/602

https://github.com/xbmc/xbmc/pull/12024

If you use no script in you're browser  even with it disabled it protects against XSS  attacks and just download you're subs the old fashion way  is the safest way.

[JeffDunhill]

Manual downloading of subs is also under threat?

[debebee]

I usually edit the subs i download before i use them... And i download them from reputable sources.

So what script?

 

[nIGHT]

This is new and very creative.

Luckily, Check point researchers discovered it first, shared the vulnerability to the affected players and saved us from great pain.

Thanks Check Point!

 

Just now, Batu69 said:

 

What can you do? (to protect youyrself)

Since the vulnerabilities were disclosed, all four companies have fixed the reported issues. Stremio and VLC have also released new software versions incorporating this fix.

“To protect themselves and minimize the risk of possible attacks, users should ensure they update their streaming players to the latest versions,” concluded Herscovici.

 

Article source

 

[tao]

< Deleted (already posted) > 
 

 

[Reefa]

Thread merged with batu's...Please do a full forum search before Posting.....

[steven36]

On undefined at 1:23 PM, JeffDunhill said:

Manual downloading of subs is also under threat?

The whole Internet  is under threat  but as far as know no 3rd party sub sites have been compromised .  I have  a  account at  opensubtitles   that site  you have always had to becareful not too click on fake download buttons I block them with uBlock Origin  because of the advertisement they use  get yourself some good  cross site blocking addons  like uMatrix  and NoScript .  I been vising  sub sites for years and never had any problems  most the time i don't need subs but only for non English movies and movies that have non English parts  but sometimes the release groups  have subs in the release and i don't need to visit no site.

[steven36]

3 minutes ago, 0bin said:

This is low move from them, many people using English subs to improve their English skills...

Well that is just a fact of life   even  when people try too download Adobe Flash Player online  Adobe uses pup .. Many freeware and shareware programs do too.Even when you visit Google  you could get infected  if not careful .. And filehost  and torrent sites  are some of the worse for malicious ads .  And  many websites also be  canvas fingerprinting and  WebGL fingerprinting  to get youre hardware id so they cant keep track of you even using a vpn .The web runs off advertising 

 

Here is a  userscript  that has a list of some of the sites that uses adware if you care too look .

AntiAdware

https://greasyfork.org/en/scripts/4294-antiadware

 

[steven36]

27 minutes ago, 0bin said:

Yes, was using before with Greasemonkey combo, now with the advent of Adblock Protector switched to Tampermonkey with Adsbypasser+Antiadware+Adblock Protector+Maknyos Autoin

Only Chrome browser I find working right to block Canvas fingerprinting is slimjet  witch has a built in blocker ,Canvas Defender breaks some websites in chrome like openload , the Disable WebGL is working OK but if you're worried about being tracked i would never suggest using chrome it better to use Waterfox or  Firefox ESR. The  Adblock Protector list is   built in too  uBlock Origin  it seem too work ok using it with  the REEK Script  and Greasemonkey  the guy who makes Adblock Protector scriprt needs to fix his script too work on Greasemonkey  because Tapermonkey is buggy in Firefox and cant be used in ESR .

[steven36]

4 minutes ago, 0bin said:

AAK Reek seems no currently under development, Adblock Protector is updated many times, sometimes multiple times a day, but is a different approach, cause of that work better than previous one.

 

Do you think that addon is better than Canvas Defender for Chrome?

 

I prefered too Greasemonkey, but I red something about the security of that Addon, I will review that.

 

 

A script that dont work in my browser is useless I don;t use e 10s in my browsers in Linux  or Windows

 

This not what you need to worry about anyway  it takes 33 bits

it takes 33 Bits of entropy data to identify someone.

https://33bits.org/about/

 

I'm scoring around 18 in waterfox with the addons i have installed

https://panopticlick.eff.org/

 

[steven36]

5 minutes ago, 0bin said:

If you use Tampermonkey also? 

I hope he will support also Greasemonkey

That error is from Tapermonkey  it don't work without e10s . It works ok in chrome based browsers   GreaseMonkey  have over a million users at AMO  there is no excuse for making a shabby script that don't work in it  I'm not changing my addon just because one script want work..

[steven36]

6 minutes ago, 0bin said:

The canvas score I obtain are lower with the one you suggested, removed Canvas Defender, added this one

im not talking about just  canvas itself im talking about the score as a whole , canvas  only make up a small percent of data they collect. all it takes is 33 bits of a all tracking techniques combined.

 

 

Canvas Fingerprinting: a reality check

http://theprivacyblog.com/tracking-2/canvas-fingerprinting-a-reality-check/

 

[steven36]

15 minutes ago, 0bin said:

Firefox Currently, we estimate that your browser has a fingerprint that conveys 17.26 bits of identifying information.

Chrome  Currently, we estimate that your browser has a fingerprint that conveys at least 18.26 bits of identifying information.

all i had to do is change my addon canvas blocker  to prescient  it  lower it . Currently, we estimate that your browser has a fingerprint that conveys 16.67 bits of identifying information.

[straycat19]

From the looks of the video they are using Remote Desktop to access the targeted system.  Therefore, the default port for RDP (3389), can be blocked and RDP disabled.  That will effectively stop them from 'taking over' your computer.  Keep in mind, like all published exploits, they are done in a lab under controlled conditions and obviously have no security enabled on the systems.  Hopefully the users on Nsane are a little smarter than the dumb systems they use in the labs to run their exploits on.  The world of cyber security has become the new version of the kids book about Chicken Little running around saying, "The sky is falling, the sky is falling!"

 

 

[steven36]

2 hours ago, straycat19 said:

From the looks of the video they are using Remote Desktop to access the targeted system.  Therefore, the default port for RDP (3389), can be blocked and RDP disabled.  That will effectively stop them from 'taking over' your computer.  Keep in mind, like all published exploits, they are done in a lab under controlled conditions and obviously have no security enabled on the systems.  Hopefully the users on Nsane are a little smarter than the dumb systems they use in the labs to run their exploits on.  The world of cyber security has become the new version of the kids book about Chicken Little running around saying, "The sky is falling, the sky is falling!"

 

This is true it never was in the wild as far as we know  , but Google Chrome is the worlds worse at paying hackers to find exploits not in the wild so they can patch them,  they have been doing this for years ,  Well Checkpoint  found this one for free and video player vendors have patched it  by now it's one less 0day ether way no matter how hard  you try too underrate it  If something was to happen now and you didn't update you're software it would be no ones fault but you're own. 

 

These are open source projects  they don't have the money too pay researchers like closed source  projects does and open source that's being heavily developed patches things asap . Were closed source puts it off  as long as they can.  Closed source should use this and many more cases as a example of how they should patch 0days.

 

What about the exploit that was patched in  March that was in the wild for 5 years and Hackers waited tell 3 mths after it was patched too infect 1000s of PC because certain idiots didn't  do security updates ? The thing about exploits after you're attacked it's too late. In this day and age it pays too be paranoid and if you think you can use old software and never do updates that connects too the open Internet  it means you have poor cyber security  and you think you're 10 feet tall and bullet proof you're day is coming .

 

People who puts down people who try to protect there privacy and security sound like Covert Agents that benefit from  no one doing anything to try too protect themselves  so they spreed deceit . Or ether they have been brainwashed down too there level and doing the Government's dirty work for free . It's one or the other!

 

How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations

https://theintercept.com/2014/02/24/jtrig-manipulation/