Skip to main content
  1. Home
  2. Computing
  3. News

Subtitles hack can control your system through media player vulnerabilities

Add as a preferred source on Google

Researchers at Check Point Security Labs have uncovered a nasty new hacking technique that takes advantage security deficiencies in several popular media players. The exploit uses phony subtitle files to breach a user’s defenses, at which point it’s possible to gain complete control over the system.

Hackers can apparently create malicious subtitle files that run code when they’re loaded into a media player, according to the report published by Check Point. The company estimates that hundreds of millions of users running software like VLC, Kodi, Popcorn Time, and Stremio could be at risk.

Recommended Videos

Subtitle files are generally perceived as being harmless, and as such they’re rarely vetted too stringently by media players or antivirus software. The situation is made worse by the fact that there’s little standardization, with over 25 different formats with different features and capabilities currently in use.

Check Point has also determined that subtitle repositories are being manipulated to help distribute the malicious files to users. Subtitles submitted by attackers are having are being boosted in the rankings, making it more likely that they’ll be downloaded by users, and selected by media players that can download such files automatically.

Having discovered these vulnerabilities, Check Point disclosed the problem to the developers responsible for the media players that were tested. Some had already taken steps to address the issues, while others are still looking into the situation. As of the time of writing, VLC and Stremio have been officially updated with a fix, while a fixed version of Popcorn Time is available here, and a fixed source code release of Kodi is available here. There are still concerns that other media players might also be affected.

The key here is that subtitle files are being exploited because they’re widely considered to be innocuous. As soon as users and developers drop their guard, malicious hackers see their window of opportunity — and that’s why the work done by organizations like Check Point is so important.

Brad Jones
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Apple’s M6 chip isn’t even here yet, but you’ll see M7 Macs early in 2027
Apple is reportedly already accelerating its next-generation silicon roadmap, even before the M6 has launched.
Apple MacBook

The M6 chip is still expected to debut later this year, but Apple may already be preparing for what comes next. According to Mark Gurman's latest report for Bloomberg, the company is aiming to introduce its first M7-powered devices as early as the first half of 2027, hinting at a much faster silicon refresh than many expected.

M7 could arrive alongside new Macs and iPads

Read more
The entry-level MacBook Pro could get a design refresh in 2027, and it’s about time
Five years on the same chassis, and now both tiers of the MacBook Pro are getting a new look at once.
MacBook Pro in space grey sitting on a desk.

Apple has a new MacBook Pro lined up for launch early next year, according to Bloomberg. The company will introduce a 14-inch laptop in the first half of 2027. 

The biggest surprise, however, will be a brand-new design language. The outlet describes it as "a revamped entry-level MacBook Pro, code-named K104."

Read more
Study finds humans will talk to AI ghosts of the dead as reincarnations, and it’s pretty grim
The first AI ghost study is in. The results are about as complicated as you'd expect.
VR Headset, Person, Face

A new study from the University of Colorado Boulder confirms something that sounds both impressive and concerning. People find interacting with AI simulations of their dead loved ones deeply meaningful, and most will come away wanting to do it again.

The researchers call it a "generative ghost," which is a clear reference to generative AI, but I’d still prefer to call it unsettling.

Read more