Researchers: Kodi is vulnerable when updating add-ons
Media player Kodi, previously known as XBMC, contains a vulnerability that can be exploited by man-in-the-middle attacks, Bitdefender has discovered. The vulnerability is located in the add-on update mechanism. The Kodi developers are now working on patches.
When Kodi starts up, the software immediately checks for any add-on updates. If there are, they will be retrieved and installed automatically. Security company Bitdefender has found a problem in this mechanism. For example, only unencrypted http traffic is used when updating. First, the md5 hash for addons.xml, a configuration file that contains version numbers of add-ons, is requested. If this hash differs from an already locally stored md5 hash of addons.xml, the updates will be requested. At that point, a man-in-the-middle attack can be performed by returning any md5. According to Bitdefender, this is accepted by Kodi without question.
In a second step of the attack, a modified addons.xml containing an add-on with a higher version number can be sent. The attacker can package malicious code into this add-on and send it to the target along with a correct md5 hash. Kodi will install this ‘update’ automatically.
With this attack, Bitdefender managed to obtain YouTube credentials on OpenElec systems, among other things, by sending a customized YouTube add-on to a victim. In addition, they were able to stealthily upload files from a Dropbox folder to any FTP server using a manipulated Dropbox add-on called Dbmc.
According to Bitdefender, the attack method described has not only proved successful, but also not very complex to execute. In theory, an entire machine could be taken over or an attacker could get hold of sensitive data such as passwords. The security company therefore states that software such as Kodi must also start using encrypted connections, because otherwise the information sent can be manipulated too easily.
Bitdefender has notified Kodi developers about the issue. They are currently working on patches, although it is not yet clear when we can expect them in new builds of the popular media player software.