The Netflix for pirates could get you hacked.
Security engineer and researcher Antonios Chariton, known as DaKnOb, wrote a blog post detailing how the streaming torrent app Popcorn Time could be susceptible to a man-in-the-middle attack, which would give a hacker complete control of a targeted machine.
In researching Popcorn Time, Chariton found Popcorn Time uses CloudFlare, a cloud-based content delivery network, to bypass ISP-level blocking. The process makes it difficult to block Popcorn Time’s service, but also leads to the potentially exploitable vulnerability.
Because the request to CloudFlare from the app is sent via plain HTTP as opposed to the secure HTTPS, the initial request and response from the server could be intercepted and changed by a man-in-the-middle attack. There is also no system in place within Popcorn Time to ensure the validity of the data received.
Chariton proved the vulnerability by completing a “content spoofing” attack in which he changed the title of the film Hot Pursuit to read “Hello World” within the application. More concerning, though, Chariton was able to inject malicious JavaScript code, which was executed without fail by Popcorn Time.
“Using this attack we can show fake messages or even do something smarter. Since the application is written in NodeJS, if you find an XSS vulnerability, you are able to control the entire application,” he explained. “This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”
The Popcorn Time team responded to Chariton’s blog post with a post of their own, which downplays the potential for attacks. They claim a man-in-the-middle type attack is “very unlikely to happen to anyone” as it would require access to a person’s network.
Popcorn Time did acknowledge the possibility of content spoofing—which it dismissed as “useless”—and XSS attacks, which it deemed to be a legitimate issue, though an overstated one. “To be clear: [XSS attacks] would not allow to gain full control on the machine, as Popcorn Time doesn’t have elevated permissions,” the post explained.
The developers are releasing a hotfix for the vulnerability, which should be available soon. Changes will including handling most requests via HTTPS and will sanitize all information received from remote machines to prevent the application from executing potentially malicious code.
H/T Engadget | Photo via Personal Creations/Flickr (CC BY 2.0)