Attackers can easily access and read the user's local files

Aug 4, 2015 07:13 GMT  ·  By

Popcorn Time, the BitTorrent-based software that allows users to stream and watch movies, is vulnerable to XSS, local file reading, and remote code execution attacks, as Antonios A. Chariton, a security engineer and researcher, has discovered.

While the original Popcorn Time app was discontinued and open-sourced at the pressure of the MPAA, its source code has been forked numerous times by other developers who have set up similar products of their own.

Analyzing one of the Popcorn Time forks, more specifically the one that runs on PopcornTime.io, the first one you get when typing Popcorn Time in Google, Mr. Chariton has noticed a series of flaws in its design.

Only the versions of the app coded on the Node.js platform are vulnerable, which means that the C++ version created for Popcorn-time.se is unaffected.

Popcorn Time does not use HTTPS for its communications

When the Popcorn Time application starts, it first queries a series of online API servers to fetch and display the content. This is done by sending HTTP requests and receiving an answer from the server with the content's data.

Because all requests and responses are handled in HTTP, an attacker could easily leverage an MitM (Man in the Middle) setup to intervene in the communications between the API servers and the Popcorn Time desktop client.

This way, developers can inject various types of content inside the responses sent to the desktop clients.

While this is harmless, attackers only being able to change information like movie title name, poster image, and various other movie details, Mr. Chariton has also discovered that "there is no input sanitization whatsoever."

This means there's no limit to what can be sent back through the responses, and JavaScript code can be added and executed by the Popcorn Time desktop client.

An XSS vulnerability can be used to access and read local files
An XSS vulnerability can be used to access and read local files

The Node.js codebase escalated the whole problem

Since the whole client is coded in JavaScript (Node.js) and has access to the user's entire PC, attackers could easily gain control of a computer, obtaining local files and executing their own malicious code inside the application just by packing it inside an API response.

All they need is the JavaScript know-how to get this done. Skills Mr. Chariton had, proving in his experiments that he could easily read and write local files.

"Discovering and exploiting this vulnerability was literally one hour of work, including the time to write all the JavaScript payloads and come up with cool stuff to do," says Mr. Chariton.

The issue was reported in a bug with the Popcorn Time fork, which did its due diligence and added support to sanitize the input they receive from API servers.

"I don't think we really need to use HTTPS at all. It will not solve the problem. There is always a way for someone to get their content inside the application. If they do that by mitm, hijacking DNS or hacking the YTS server: it doesn't matter," explains one of the Popcorn Time project maintainers.

"Eventually the application will show the content, thus we need to make sure that that content can't execute malicious code. That'll be enough to prevent hacks from the outside."

Local applications can also be triggered using Popcorn Time's vulnerability
Local applications can also be triggered using Popcorn Time's vulnerability

Popcorn Time XSS proof of concept (3 Images)

Popcorn Time can be hacked using a simple MitM technique
An XSS vulnerability can be used to access and read local filesLocal applications can also be triggered using Popcorn Time's vulnerability
Open gallery