Security researchers discovered a security vulnerability in a number of video players. The Stremio ecosystem has been protected against this vulnerability and is absolutely safe to use.  

The security firm Check Point discovered a security vulnerability that could potentially be harmful for millions of users around the world - attack by subtitles. The threat affected the video players of Stremio, Kodi, VLC and Popcorn Time, and Check Point estimate that 200 million users around the world take use these players and could be exposed to the threat. Ouch!

Following the responsible disclosure guidelines, Check Point’s representatives got in touch the minute they discovered the vulnerability a couple of weeks ago. The Stremio security team wasted no time, and within the same day, we had already released a patch that would prevent hackers from exploiting the vulnerability. This patch essentially shut down all the attack vectors that could make an attack possible.

None of our users had to install a specific version of the Stremio apps - whether you’re using Stremio on desktop, Android or iOS, the apps are automatically updated to the last available version in order to ensure optimal performance. In this case this meant that anyone who has launched Stremio after the security patch release has had the app immediately upgraded. To date, all of our users should be running a version of Stremio that is vulnerable to being hacked through subtitle files. 

What’s the potential threat

The vulnerability discovered by Check Point allows hackers to insert malicious code into movie subtitle files. Once the user loads the infected subtitles file, the perpetrators gain access to the user’s computer.

Why is it dangerous?

Subtitle files are generally considered harmless text files. This means that anti-virus programs or other security solutions don’t check them for malware, thus leaving the users exposed.

This is an attack vector that allows hackers to run malicious software on users’ computers, tablets, phones or smart TVs without the users even knowing - simply by opening a subtitles file with malware in their video players.   

Once hackers have gained access to the infected device, they can pretty much do whatever they want on it - steal security-sensitive data, install ransomware, execute a mass denial of service attack and so forth.

How could the attack vector spread

As Check Point explains, there are a number of shared online repositories for movie subtitles, and some media players download subtitles from them automatically.

By manipulating the ranking algorithms of the repositories, hackers can make sure that the malicious subtitles are ranked highest and therefore - downloaded with priority to other subtitle files. This makes the attack even easier for hackers, as it lets them skip the Man in the Middle attack or any direct interaction tricking the user to open the malicious software.

Bottomline: Is Stremio safe to use?

The short answer is: Yes. As we already said, the moment we found out about the vulnerability, we sanitized the subtitles content environment of Stremio and patched all of our apps to make sure each and every of our users is protected.

We are happy to report that the Stremio experience remains as secure as it is enjoyable - and we remain open to any questions you may have in this regard.   

Comment