Researcher warns of vulnerability in Popcorn Time

Researcher warns of vulnerability in Popcorn Time
Researcher warns of vulnerability in Popcorn Time

Popcorn Time, a popular application used for downloading and streaming pirate movies, could be vulnerable to a hack that could allow criminals to execute code remotely on a target machine.

A blog post by Greek security researcher Antonios Chariton demonstrated how a hacker “can get complete control of a computer assuming they have a Man In The Middle position in the network."

The hack is based on the way Popcorn Time circumvents blocks placed by ISPs on pirated content. The application connects to CloudFlare instead. This means if the ISP wanted or needed to block Popcorn Time, it would have to ban CloudFlare. However, as millions of websites rely on CloudFlare's cloud-based caching technology, this is not something that ISPs would easily embark on.

The real problem is that the connection to CloudFlare is made over HTTP instead of HTTPs.

"HTTP is insecure,” said Chariton. “There's nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don't run inside a web browser."

“Second, sanitise your input. Even if you receive something over TLS v1.2 using a Client Certificate, it still isn't secure! Always perform client-side checks of the server response,” he added.

Chariton said it took around an hour to find the flaw, devise a means of exploiting it and writing the necessary code to do so.

The developers of Popcorn Time responded in a blog to the claims and said that users of the service “don't need to worry” as man-in-the-middle attacks were “very unlikely” to happen as the victim's personal network would have had to be breached as well.

Popcorn Time did admit that there were some security problems with the application and a fix would be available shortly. This included sanitising all input received from a remote machine and making “most” requests over HTTPS.

Since the discovery, Chariton and Popcorn Time developers have been discussing problems with the applications on the site's GitHub page.

Adam Bridge, Lead Intrusions Analyst at Context Information Security said that challenges such as Popcorn Time are “best met by an organisation's Security Operations Centre (SOC)”.

“The specialists in the SOC hopefully have access to technology such as an Intrusion Prevention System (IPS) that would allow rules to be written to detect the tell-tale signs of Popcorn Time, such as the known domain names in the HTTP headers. Further, given the use of Torrents to download the actual video files, organisations might want to consider which users on their network can actually use this protocol as it is rarely used in day-to-day business activity,” said Bridge.

The blocking of applications such as Popcorn Time will not be easy for organisations.

Richard Cassidy, technical director EMEA at Alert Logic told SCMagazineUK.com that the challenge organisations face is that unless there are host-based file and service monitoring tools to identify the existence of the installation of an applications such as Popcorn Time, “then you are limited to detection by inspecting at a content level the communication from the client browser to all target servers to discover requests to Popcorn Time, hidden in a request through the cloudfare network via DNS; it's a very difficult one to thwart.”

He added that the weakness of this application is that it uses torrent downloads and operates in plaintext HTTP; therefore organisations that deploy their own proxy gateways to the internet will have much more control in sifting out the key backend server requests that cloud flare returns in the HTTP stream and torrent requests.

“Therefore ease of mitigation is essentially down to content inspection or application level inspection on user web connections from within the organisation,” he said.

Cassidy said that the attack vectors that Popcorn Time opens to hosts presents a very real problem to organisations whose users may connect to open wireless hotspots or public internet points.

“Given how the application is written and the platform on which it is built a MITM attack is possible against the Popcorn Time client, which essentially leads the host susceptible to RCE attacks, allowing attackers gaining escalated privileges and thus open to further malware infection and ultimately data loss; especially in today's incredibly well industrialised and monetised cyber-crime landscape,” he added.

Mark James, security specialist at ESET, told SCMagazineUK.com that blocking this application can cause some headaches for system administrators and the like. “Using policies to flag installation folders for Popcorn Time or looking for the application itself will be one of the ways of trying to stop this, but if someone wants to really get around it they would be able to circumvent that fairly easy,” he said.

Catalin Cosoi, chief security strategist at Bitdefender told SCMagazineUK.com that IT administrators can set up comprehensive rules in the web application firewall or other firewall appliances they manage. “By simply blocking some ports (if they haven't been already been blocked), they can prevent the application from working,” he added.

“To identify abnormalities and file sharing activity, organisations can monitor overall bandwidth usage and take a closer look at high consumers. In terms of policies, companies should make sure that all users agree to a policy that explicitly bans the use of file-sharing networks and systems inside the company network and on company-owned devices,” he said.