An impressive new exploit gives hackers the ability to control your desktop through malware spread by fake movie subtitles. The exploit, which essentially dumps the malware onto your desktop and then notifies the attacker, affects users of video players like Popcorn Time and VLC.
Checkpoint found that malformed subtitle files can give hackers the ability to embed code into subtitle files popular with pirated movies and TV. Because these subtitles are usually trusted by video players and users alike they were an oft-overlooked vector for hack attacks.
“Our research reveals a new possible attack vector, using a completely overlooked technique in which the cyber attack is delivered when movie subtitles are loaded by the user’s media player. These subtitles repositories are, in practice, treated as a trusted source by the user or media player; our research also reveals that those repositories can be manipulated and be made to award the attacker’s malicious subtitles a high score, which results in those specific subtitles being served to the user. This method requires little or no deliberate action on the part of the user, making it all the more dangerous.
Unlike traditional attack vectors, which security firms and users are widely aware of, movie subtitles are perceived as nothing more than benign text files.”
What is the Risk in using a Public Phone Charger?
If you have ever backed up your phone’s contents by plugging into the computer, you have seen how the USB port can transfer data as well as charge the device’s battery. The concept of “juice-jacking” has been proved at hacker conventions and seen in the wild, and it is definitely possible to transfer malicious software with a phone through a USB connection — perhaps from a computer or device concealed within a public charging station, like those found in airports or malls. If you are travelling and are concerned about keeping your phone’s battery charged, bring your own USB cable and AC adapter so you can plug right into a regular power outlet. Other solutions for protecting your phone include taking (or making) a power-only USB cable that lacks the internal wiring needed to transfer data. If you do not have one of those cables, power off the device before you plug it into a public charging port (although this is not a foolproof solution for every phone model out there).