Popcorn Time Vulnerable to “man-in-the-middle” Attack – Report
A security researcher has found a vulnerability in the popular pirate movie application Popcorn Time, that can allow a “man-in-the-middle” attacker to gain complete control of a target machine.
Antonios Chariton, aka ‘DaKnOb’, a Security Engineer & Researcher in Greece, discovered some serious security vulnerabilities in at least one fork of Popcorn Time. Chariton says the issue arises due to Cloudflare, which the app uses to bypass ISP-level blocking in the UK.
Although Cloudfare is “a really smart” technique, according to Charlto, the lack of layered security on top of that system is what leaves Popcorn Times vulnerable to hacking attacks.
“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),” Chariton explained.
“The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”
As a proof-of-concept, Charlton exploited this particular hole and performed a “content spoofing” attack, in which he changed the name of movie Hot Pursuit to Hello World.
The same technique can be used to change any other information in Popcorn Time, the researcher notes. To demonstrate the severity of the bug, he even launched an XSS attack – a vulnerability that is exploited by hackers to inject potentially malicious scripts into web applications.
Unfortunately, there is nothing a user could do to avoid such attacks. But Charlton has some advice for Popcorn Time’s developers.
“HTTP is insecure,” he warned. “There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response.”
Update: Popcorn Time has now responded to the threat, saying:
“This attack requires that the attacker is either inside the local network, inside the host machine, or has poisoned the DNS servers.
In any case, there are far more valuable attacks than simply hitting Popcorn Time. Especially because it does not run with elevated privileges and won’t let the attacker install new programs for example.”
You can read Popcorn Time’s full statement here.