An impressive new exploit gives hackers the ability to control your desktop through malware spread by fake movie subtitles. The exploit, which essentially dumps the malware onto your desktop and then notifies the attacker, affects users of video players like Popcorn Time and VLC.
Checkpoint found that malformed subtitle files can give hackers the ability to embed code into subtitle files popular with pirated movies and TV. Because these subtitles are usually trusted by video players and users alike they were an oft-overlooked vector for hack attacks.
If you’re using Popcorn Time – and you know you shouldn’t be – you can download a fix here. Otherwise VLC, Kodi, and Stremio should be patched automatically. In the demo below we see the subtitles essentially activating a TinyVNC connection with the attacker’s machine, allowing full access for the desktop. It’s a pretty steep price to pay just to watch Logan Noir.