Kodi Users at Risk From Github Repo ‘Hijack’ But Solution is Already Available
While many pirates appear to get along with each other just fine, parts of the Kodi addon community regularly descend into chaos.
This so-called ‘drama’ happens on a regular basis and gets covered on various blogs that cover the scene far more closely than we do here on TF.
However, every now and again an issue raises its head that’s worthy of additional coverage, particularly when it has the potential to affect a broad range of users of popular Kodi addons.
Developers of Kodi add-ons, of all types and intent, regularly host their tools on coding platform Github. The US-based service is ideal for development and when users sign up, they’re allocated a unique URL, which can be referenced (just like a regular URL), all over the Internet.
These URLs can also be used to pull updates to add-ons that are installed on users’ machines. However, there is a loophole that can allow add-ons to pull updates that weren’t supplied by the original developer.
The problem was highlighted at least a couple of years ago when famous Kodi add-on developer MetalKettle deleted his Github repo. Shortly after, a third-party signed up to the platform with the same username (something which Github expressly allows) to obtain the same URL.
This meant that this third-party was allowed to push updates to people using MetalKettle add-ons in their Kodi setup. It’s not difficult to see the problem when a previously-trusted URL is suddenly placed in the hands of a potentially malicious third-party.
This ‘hijacking’ of accounts has happened several times since but things boiled over again recently when the popular ’13Clowns’ repo was deleted by its developer, only to be quickly re-registered on Github with the same name and, indeed, the same URL.
As the pair of images below show, the original repo (first) and imposter repo (second) are quite different, despite having the same username and appearing on the same URL.
The software hosted in the new repo began sending updates to former users of ’13Clowns’, which included a fork of the Exodus add-on and, controversially, tools that originate from TVAddons, the under-fire Canada-based Kodi add-on indexing site.
Those familiar with the add-on scene see TVAddons as what the Brits might describe a ‘marmite’ resource – people either love it, or hate it – and there is no shortage of Kodi users expressing both opinions.
Those that hate the site immediately claimed that the existence of TVAddons tools in the update means that the site was logically involved in the ‘hijack’, with KodiTips going as far as publishing a guide on how to remove the software pushed by the update. The software doesn’t seem malicious as such, but it does help TVAddons.
In response, those in support of TVAddons claimed that anyone could’ve ‘hijacked’ the repo (which is true, of course), with TVAddons itself going to great lengths to deny the allegations.
They state they have nothing to do with it, while suggesting that a TVAddons supporter could be responsible. Or, alternatively, it might be a “copyright holder trying to destroy the Kodi community through the most effective method to date: in-fighting.”
The truth is that only the people behind this somewhat underhand tactic know exactly what has happened here, so we’ll leave the speculation to other publications. However, perhaps of more interest is the manner in which this situation came to pass via Github allowing people to re-register accounts with not only the same username as a former user, but also granting access to the same URL.
As a law-abiding company, Github is known for quickly responding to takedown requests, fully in line with the requirements of the DMCA. That being said, this loophole can also be exploited by developers of completely legitimate add-ons too, should they decide to delete their accounts.
TorrentFreak contacted Github with an outline of the problem and asked whether it would be possible to implement measures that might reduce the risk, such as disallowing the re-use of usernames and identical URLs for a period of six months following deletion.
While the company didn’t respond directly to this suggestion, TorrentFreak was informed that systems are already in place to deal with this type of abuse.
The company’s repository namespace retirement policy supports mitigating this issue while its Acceptable Use Policy prohibits any kind of exploit. We can confirm that reusing a previously registered repo name to deliver add-ons to Kodi in the manner highlighted above is considered an exploit.
Therefore, this problem – which has caused so much conflict recently – can be dealt with under Github’s existing systems. Anyone sending a detailed complaint to Github via this form can have it investigated by the company, with offending repos being taken down.
In the meantime, it appears that those holding much of the power here are the developers themselves. By not deleting their Github accounts they constantly remain in charge of their own repos, meaning that no imposters can come in to masquerade as them.