One of the most popular movie streaming apps online might be a prime target for hackers. On Monday, TorrentFreak shared a report from Antonios Chariton (aka DaKnOb), a security engineer and researcher who discovered a major vulnerability in one of the most popular forks of Popcorn Time.
“There are two reasons that made me look into Popcorn Time,” said Chariton. “First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time.”
Basically, in order to bypass the blocking in Europe, the developers of Popcorn Time utilizes CloudFlare infrastructure, which would mean that European ISPs would theoretically have to block the entire CloudFlare network in order to effectively shut off access to Popcorn Time.
Unfortunately, “the request to Cloudflare is initiated over plain HTTP,” which Chariton explains could allow an intruder to initiate a man-in-the-middle attack on the host’s computer. Seemingly without much effort, Chariton was able to inject malicious code through the app himself, taking control of the application.
But not all is lost, providing the developers are willing to follow the researcher’s advice:
“HTTP is insecure. There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response.”
It took one hour for Chariton to find this vulnerability, come up with a plan to exploit it and write the necessary code. This is clearly an issue that requires immediate attention. There’s an ongoing discussion between Chariton and the developers on the site’s GitLab.