Malicious subtitles in popular media players could lead to remote compromise

Media software from VLC, Kodi, Popcorn Time, and Stremio are vulnerable, researchers say

Researchers at Check Point have discovered a flaw affecting several popular media players, stemming from how they process subtitles. If exploited, an attacker could gain remote access to the victim's system.

It's estimated that nearly 200 million video players and streaming apps use the vulnerable software.

Check Point says the vulnerable versions of VLC, Kodi, Popcorn Time, and Stremio have been downloaded more than 220 million times. All an attacker has to do is develop malicious subtitles, which are then downloaded to the user via the video player.

"The attack vector relies heavily on the poor state of security in the way various media players process subtitle files and the large number of subtitle formats. To begin with, there are over 25 subtitle formats in use, each with unique features and capabilities," Check Point explained.

"Media players often need to parse together multiple subtitle formats to ensure coverage and provide a better user experience, with each media player using a different method. Like other, similar situations which involve fragmented software, this results in numerous distinct vulnerabilities."

Check Point researchers found that malicious subtitles could be developed and shared to online repositories, such as By gaming the ranking algorithm on these repositories, the attacker's subtitles are selected as the best option and automatically downloaded.

The researchers created a proof-of-concept video outlining an attack, but will not release additional details out of an abundance of caution.

Stremio and VLC have released new versions of their media player in order to address the vulnerabilities. Kodi and Popcorn Time also fixed the flaws.

"We have reason to believe similar vulnerabilities exist in other media players as well. We followed the responsible disclosure guidelines and reported all vulnerabilities and exploits to the developers of the vulnerable media players," Check Point said in a blog post shared with CSO Online.

"Some of the issues were already fixed, while others are still under investigation. To allow the developers more time to address the vulnerabilities, we've decided not to publish any further technical details at this point."