Popular file sharing and streaming service Popcorn Time contains critical vulnerabilities leaving it open to XSS attacks, files being read locally and remote code execution attacks, according to a security researcher.

The security researcher has discovered significant vulnerabilities within the popular file streaming service Popcorn Time, potentially allowing attackers to gain complete access and control of a computer connected to the service. The researcher made a comprehensive account of his findings in a blog post.

Popcorn Time has always been a target among anti-privacy companies and the MPAA (Motion Picture Association of America) and now finds itself under threat from a different adversary.

The Vulnerability

Antonios Chariton, aka ‘DaKnOb’, the researcher who discovered the vulnerability, claims to be a security engineer and researcher studying in Greece for his B.Sc. in Computer Science.

“There are two reasons that made me look into Popcorn Time,” said Chariton.

First of all, I know many people who have installed this application on their personal computers and use it, and second of all, by pure accident: I was setting up my computer firewall when I noticed the network traffic initiated by Popcorn Time.

The engineering student notes that initial concerns aside, problems really flare up when Popcorn Time initiates a “really smart” process and technique to bypass the blockades set by ISPs (Internet Service Providers) in the UK. The popular streaming service manages to do this by using the CloudFlare infrastructure as a part of its setup and connectivity process. Due to this, ISPs find it nearly impossible to block Popcorn Time purely by means of a DNS address without banning the CloudFlare website entirely.

Despite being clever in its maneuvering around the blockade, the problems coming from such a move are clear.

“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man in the Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” explains Charlton.

The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.

Furthermore, Chariton was able to engineer and initiate “content spoofing” attack which enabled him to change the title of a movie. Case in point, he gave the movie Hot Pursuit the title of “Hello World” instead.

(Image credit: Daknob Blog)

It was at this point in time that Chariton launched an XSS attack. By injecting malicious JavaScript, the Popcorn Time client executed the code which gave him complete control of the application. He was only getting started, however.

“This essentially is Remote Code Execution on the computer that runs Popcorn Time. You can do anything the computer user could do.”

Image from PopcornTime Website and Wikipedia.