Popular middleware platform for media streaming services has several critical security vulnerabilities, discovered security researchers. If sequentially exploited, these flaws could potentially allow attackers to completely bypass security checks and extract sensitive subscriber information, including financial details. If that’s not concerning enough, attackers could easily replace the content being broadcast with any stream of their choice on the TV screens of all compromised customer networks.
Ministra TV, a widely used middleware platform is apparently at risk owing to multiple security bugs. The software is essentially an intermediary platform for media streaming services. Several popular streaming services rely on the platform for managing their Internet Protocol television (IPTV), Video-On-Demand (VOD) and Over-The-Top (OTT) content, and licenses. The platform also allows storing and managing subscriber database as well as transaction details, if needed.
The vulnerabilities in Ministra TV platform were first discovered by security researchers at CheckPoint. Apparently, the flaws are present in the core administrative panel of the platform. Attackers can potentially tap into the system by completely bypassing authentication. Once inside, attackers could scrape subscribers’ database, including their financial details. Attackers could also replace the content with any stream of content. Furthermore, they could broadcast the hijacked stream onto the TV screens of all affected customer networks.
Evidently, the security vulnerability exists in an authentication function of the Ministra platform that fails to validate the request. In simple words, a remote attacker can bypass authentication. Using another security flaw, the attackers can perform SQL injection. These two attacks are sequential. Once inside, attackers can proceed with a PHP Object Injection vulnerability. This would allow complete virtual control of the platform. Attackers can choose to remotely execute arbitrary code on the targeted server.
Previously known as Stalker Portal, the Ministra TV platform is essentially a PHP-based software. It was developed by Ukrainian company Infomir. The middleware platform is currently utilized by more than a thousand online media streaming services, including those in the US, Russia, France, Canada, and other countries.
After discovering the security loopholes, security researchers have briefed the company managing the middleware platform. Taking serious note of the same, Infomir has patched the issues and released a new and updated version of Ministra TV platform. The latest version of Ministra TV is 5.4.1. Apparently, end subscribers cannot initiate an update. The company behind Ministra TV is strongly urging the streaming companies that use this middleware platform to update their system to the latest version.