Hundreds of millions of users could be at risk, as the flaw also affects VLC, Popcorn-Time and
Hundreds of millions of users could be at risk, as the flaw also affects VLC, Popcorn-Time and

Kodi: Users can be hacked through subtitles

People are being urged to download a new update for the software

Aatif Sulleyman
Wednesday 24 May 2017 17:30

Kodi has urged users to download a new update after security researchers discovered a vulnerability that could allow hackers to take over people’s devices.

The issue is an unusual one, which allows criminals to attack Kodi users through subtitles.

Millions of people are believed to be at risk, and they don’t need to have done anything wrong in order to be targeted.

Check Point, which discovered the issue, has described it as “one of the most widespread, easily accessed and zero-resistance” vulnerabilities reported in recent years.

“By conducting attacks through subtitles, hackers can take complete control over any device running them,” the company says. “From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device.

“The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

Subtitles are perceived as “benign text files”, allowing this particular attack vector to go unnoticed by users and antivirus software alike.

Kodi was alerted to the issue before Check Point made its announcement, and has had time to create a fix.

“Our developers fixed this secuity [sic] gap and have added the fix to this v17.2 release,” Kodi has announced.

“As such we highly encourage all users to install this latest version! Any previous Kodi version will not get any security patch.” Users can download the latest version of Kodi here.

The open-source software is legal, but add-ons created by third parties can let people use it for access to illegal streams for sports events, TV shows and films.

Check Point says the same issue affects the VLC, Popcorn-Time and streaming platforms too. All three have issued fixes too, which can be accessed through Check Point’s blog.

“Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyberattack is delivered when movie subtitles are loaded by the user’s media player,” the company explains.

“These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user.

“This method requires little or no deliberate action on the part of the user, making it all the more dangerous.”

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in