News

Popcorn Time Vulnerability Leaves Users Open to Attack

A security engineer has found a vulnerability in popular pirate movie application Popcorn Time that could leave users’ devices open to being hacked by a “man-in-the-middle” attacker. Antonios Chariton (aka ‘DaKnOb’), a Security Engineer & Researcher living in Greece, found the vulnerability in at least one fork of Popcorn Time’s code, and warn users that using the software in its present form could be a risky proposition.

“There are two reasons that made me look into Popcorn Time,” Charlton said. “First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time.”

Popcorn Time uses Cloudflare to bypass ISP-level blocking in the UK – “a really smart” technique, according to Charlton – but the lack of layered security on top of that system is what leaves Popcorn Time open to attack.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” Chariton explained. “The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”

Charlton exploited this vulnerability as a proof-of-concept, performing a “content spoofing” attack which changed the name of movie Hot Pursuit to Hello World:

Using the same technique, Charlton could change any other information in Popcorn Time, but chose a method by which he could demonstrate the trick easily.

Next, he launched an XSS attack:

“We have injected malicious JavaScript and the client application executed the code. Using this attack we can show fake messages or even do something smarter. Since the application is written in NodeJS, if you find an XSS vulnerability, you are able to control the entire application,” Chariton said. “This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

So, what can be done to protect users? Nothing on the user-end, sadly, but Charlton has some advice for Popcorn Time’s developers. “HTTP is insecure,” he warned. “There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response.”

“Last but not least, just because something is Open Source doesn’t mean it’s audited and secure. Discovering and exploiting this vulnerability was literally one hour of work, including the time to write all the JavaScript payloads and come up with cool stuff to do,” Charton adds.

Popcorn Time has responded to the threat, saying:

“This attack requires that the attacker is either inside the local network, inside the host machine, or has poisoned the DNS servers.

In any case, there are far more valuable attacks than simply hitting Popcorn Time. Especially because it does not run with elevated privileges and won’t let the attacker install new programs for example.”

Popcorn Time’s full statement can be found here.

Thank you TorrentFreak for providing us with this information.

Image courtesy of GeekZine.

Ashley Allen

Disqus Comments Loading...

Recent Posts

ThermalTake Ceres 300 TG ARGB Snow Mid Tower PC Case

Ceres 300 TG ARGB Snow Mid Tower Chassis is an ATX case that comes with…

13 hours ago

ASUS Intel B660 PRIME B660M-K D4 Micro-ATX Motherboard

ASUS Prime series motherboards are expertly engineered to unleash the full potential of 12th Generation…

14 hours ago

Intel 24 Core i9 13900F Raptor Lake CPU/Processor

Say hello to Raptor-Lake. Intel's incredible 13th generation processors are here to break the boundaries…

14 hours ago

ASRock 34″ PG34WQ15R2B 165Hz VA FreeSync Premium WQHD Curved Monitor

This PG34WQ15R2B Phantom Gaming monitor provides exceptional clarity to any gamer thanks to its WQHD…

14 hours ago

Corsair Vengeance Black 64GB 5600MHz DDR5 Memory Kit

CORSAIR VENGEANCE DDR5, optimized for Intel® motherboards, delivers the higher frequencies and greater capacities of…

14 hours ago

ASUS ROG STRIX B760-F Gaming WiFi DDR5 ATX Motherboard

Leap into the future with the ROG Strix B760-F, a fantastic upgrade into 13th Gen…

14 hours ago