Screenshot
Using a series of techniques, Chariton wrote that he demonstrated how "someone can get complete control of a computer assuming they have a Man In The Middle position in the network."
A 'man-in-the-middle' attack is when a hacker intercepts a data request between two machines. It is then able to swap the intended data for something malicious. So, if an attacker is able to execute one of these intercepting attacks, he or she can wreak havoc on the computer running Popcorn Time.
The attack is based on the clever way Popcorn Time avoids being banned by internet service providers (ISPs). The application is able to connect directly to the CloudFlare network. This, put in the simplest of terms, means that if an ISP wants to block the Popcorn Time program it would have to ban the entire CloudFlare website and not just the pirated content program. This is a smart way to avoid widespread ISP blocks.
The problem, however, is that the connection to CloudFlare is made over the HTTP protocol, and it's been shown that HTTP is just not secure.
Chariton didn't mince his words: "HTTP is insecure. There's nothing you can do to change this. Please, use HTTPS everywhere, especially in applications that don't run inside a web browser."
Because of HTTP's vulnerability, Chariton wrote that he was able to inject malicious code into a victim computer using Popcorn Time.
Popcorn Time penned a blog post responding to these claims. It assured users that they "don't need to worry." For one, man-in-the-middle attacks are "very unlikely," and require a hacker gaining access into a victim's personal network.
The site does admit that there are some security issues to be dealt with. It says it will release a fix to these shortly, but adds that what Chariton brought to light isn't as dire as it may seem.