Click to Skip Ad
Closing in...

Popcorn Time vulnerability could allow hackers to take over your computer

Published Aug 3rd, 2015 7:15PM EDT
BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

One of the most popular movie streaming apps online might be a prime target for hackers. On Monday, TorrentFreak shared a report from Antonios Chariton (aka DaKnOb), a security engineer and researcher who discovered a major vulnerability in one of the most popular forks of Popcorn Time.

READ MORE: Windows 10 is spying on almost everything you do – here’s how to opt out

“There are two reasons that made me look into Popcorn Time,” said Chariton. “First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time.”

Basically, in order to bypass the blocking in Europe, the developers of Popcorn Time utilizes CloudFlare infrastructure, which would mean that European ISPs would theoretically have to block the entire CloudFlare network in order to effectively shut off access to Popcorn Time.

Unfortunately, “the request to Cloudflare is initiated over plain HTTP,” which Chariton explains could allow an intruder to initiate a man-in-the-middle attack on the host’s computer. Seemingly without much effort, Chariton was able to inject malicious code through the app himself, taking control of the application.

But not all is lost, providing the developers are willing to follow the researcher’s advice:

“HTTP is insecure. There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response.”

It took one hour for Chariton to find this vulnerability, come up with a plan to exploit it and write the necessary code. This is clearly an issue that requires immediate attention. There’s an ongoing discussion between Chariton and the developers on the site’s GitLab.

Jacob Siegal
Jacob Siegal Associate Editor

Jacob Siegal is Associate Editor at BGR, having joined the news team in 2013. He has over a decade of professional writing and editing experience, and helps to lead our technology and entertainment product launch and movie release coverage.