Researchers: Kodi is vulnerable to update add-ons




Media player Kodi, formerly known as XBMC, contains a vulnerability which could be exploited by man-in-the-middle attacks, as has Bitdefender detected. The vulnerability can be found in the update mechanism for add-ons. The Kodi developers already working on patches.

Kodi If Kodi is booted, the software instantly updates for add-ons are available. If they are there, they are retrieved and installed automatically. In this mechanism, Bitdefender security problem found . For example, is used when updating only unencrypted HTTP traffic. First, the md5 hash for addons.xml, a configuration file that version numbers are add-ons requested. If these hash differs with respect to an already locally stored MD5 hash of addons.xml the updates are requested. At that time, a man-in-the-middle attack can be carried out by sending a random md5 return. This is according to Bitdefender accepted without question by Kodi.

In a second step of the attack there, a custom addons.xml be sent in which an add-on is listed with a higher version number. The attacker can pack in this add-on malicious code and this, together with a correct md5 hash, send it to the target. Kodi will automatically install this “update”.

Bitdefender knew this attack manner to obtain another YouTube credentials on OpenELEC systems through a customized YouTube add-on to send to a victim. In addition, they were able to get a manipulated add-on to Dropbox, DBMC called to secretly upload files from a Dropbox folder to any FTP server.

Bitdefender According to the disclosed method of attack is not only proved successful, but also not very complex to implement. In theory, a complete machine can be taken over whether an attacker to obtain sensitive data like passwords. The security therefore proposes that software as Kodi is to use encrypted connections, because the transmitted information to easily be manipulated differently.

Bitdefender briefed Kodi developers about the problem. They would currently working on patches, though it is still unclear when we can expect these new builds of the popular media player software.


In: Technology & Gadgets Asked By: [15446 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »