Skip to main content

PSA: Many major media players vulnerable to attack via malicious subtitles files [Video]

Security researchers have discovered a surprising new way for attackers to gain control of a machine: malicious subtitles. The vulnerability is device-independent, meaning it could be used to gain control of anything from an iPhone to a Mac.

The vulnerability was discovered by Check Point, which describes it as a significant risk.

Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles. By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.

There is no evidence that this attack vector is yet in active use, but now that the possibility has been disclosed, it’s likely only a matter of time before the bad guys figure out the details and start using it.

Check Point said that the vulnerable code was found in many major media players, including VLC, Kodi, Stremio & PopcornTime. There are fixes available for all but Kodi, where the source code has been fixed but a runtime version is not yet available.

The firm has put together a proof of concept based on a Windows machine, but stresses that all devices are vulnerable. While malware remains a relatively small problem for Apple users, it is not a risk which can be completely ignored.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel



Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear