Your PC can be hacked through subtitle files

Hackers can manipulate the algorithms which popular video players such as VLC use to download subtitles.               Image VideoLAN

Hackers can manipulate the algorithms which popular video players such as VLC use to download subtitles. Image VideoLAN

The affected platforms include VLC, Kodi (XBMC), Popcorn-Time, and, with Checkpoint claiming around 200 million video players are now running the vulnerable software.

What's more worrisome is the fact that subtitle files are perceived as harmless by everyone, including antivirus software, which makes detection almost impossible.

Some media player apps can automatically download subtitle files from major repositories like, which can offer hackers an easy portal to initiate this kind of attack.

"This method requires little or no deliberate action on the part of the user, making it all the more unsafe", Checkpoint said.

No additional details were disclosed yet about how each video player is affected, although the researchers did share the details to each of the software developers so they can tackle the issue.

Malicious subtitle files have the ability to open up a tunnel from your PC, Smart TV or smartphone to an attacker giving them full control of the device.

"Today, we checked and found vulnerability in most famous four media players: VLC, Kodi (XBMC), and Stremio". These subtitle files are treated as trusted source in media players and bypass the security checks placed at the host computer. Since some media players download subtitles automatically, this makes it easy for attackers to infect users' devices. The latest versions of Kodi, VLC, and Stemio are also officially fixed.

One of the main problems is that subtitle files are usually viewed as simple - and benign - text files, which means they don't often receive the same level of vetting from antivirus programs as other files user might download.

Check Point have reason to believe similar vulnerabilities exist in other media players too.

The security firm says that once attackers gain access to the victim's PC, the possible damage is endless ranging from stealing sensitive information, installing ransomware to mass Denial of Service (DoS) attacks.

According to security firm Check Point who discovered the vulnerability, hackers are attacking users via the subtitle function, with millions of users thought to be at risk.

The security researchers had reported the vulnerabilities to the concerned organisations maintaining the popular media streaming platforms. A video of how the attack works can be found below. In terms of PopcornTime, the announcement notes that a fix has been created, although it has yet to be made available to download. A fixed version of Popcorn-Time can be manually downloaded here, and Kodi has released a fix which is now only available as a source code release from GitHub.

Bangladesh rise to sixth in ODI rankings
Borussia Dortmund beat Eintracht Frankfurt in DFB-Pokal final