Security researcher Antonios A. Chariton says that a fork of the Popcorn Time app is entirely susceptible to a malicious ‘man-in-the-middle’ attack, that would essentially provide an attacker with entire control over a vulnerable machine.
The exploit is based upon a few key factors being in place
“First of all, the request to Cloudflare is initiated over plain HTTP. That means both the request and the response can be changed by someone with a Man In The Middle position (Local Attacker, Network Administrator, ISP, Government, etc.),”
“The second mistake is that there is no input sanitization whatsoever. That means, there are no checks in place to ensure the validity of the data received. The third mistake is that they make the previous two mistakes in a NodeJS application.”
As shown in the image below, Chariton says he was able to perform a “content spoofing” attack, in which he gave the movie Hot Pursuit the title of “Hello World” instead.
The researcher says that while he could’ve changed any other information in the Popcorm Time application, that wouldn’t be “exactly much fun”. So, to get pulses racing, he launched an XSS attack instead.
As shown in the image below, Cross-Site Scripting (XSS) attacks allow for potentially malicious scripts to be injected into other web applications.
That’s obviously a pretty serious issue but Chariton does have some advice for the developers.
“HTTP is insecure. There’s nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don’t run inside a web browser. Second, sanitize your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn’t secure! Always perform client-side checks of the server response,” he notes.
Making the situation more complex is the number of Popcorn Time forks in circulation. Chariton told us that he carried out his tests on the variant available at PopcornTime.io but it’s certainly possible that the same issues exist elsewhere on lesser-used forks.
That being said, the developers behind the variant available at Popcorn-Time.se inform TorrentFreak that their version isn’t vulnerable to these exploits.
The team behind Popcorn Time has responded with the following comments:
This attack requires that the attacker is either inside the local network, inside the host machine, or has poisoned the DNS servers. In any case, there are far more valuable attacks than simply hitting Popcorn Time. Especially because it does not run with elevated privileges and won’t let the attacker install new programs for example.