Web Interface For Kodi: Is Someone Spying On Your Device?

kodi web interface hack

The web interface for XBMC has an obvious vulnerability that anyone can take advantage of.

There are a large number of Kodi uses who are running their Kodi setup with a special remote access interface that has poor protection.

That poor protection can give third-parties the ability to view and monitor the Kodi addons these users have installed on their systems.

Moreover, third-party developers can also get a hold of other sensitive information through this remote access interface.

In fact, in some of the cases, anyone can remotely view a Kodi user’s private videos which are vulnerable because of the remote access interface, with the help of a simple web browser.

That is not the worst news.

The worst is that online hackers can actually go ahead and change any of the Kodi user’s Kodi settings.

Needless to say, that can cause a huge amount of chaos and damage to the unexpecting Kodi users.

The debate about which media player is the most popular is fast dying out.

Why?

Because Kodi is absolutely crushing it as far as the number of users is concerned.

Millions of people have installed Kodi on their machines.

In fact, according to the MPAA, there are now more than 38 million Kodi devices.

However, all that popularity doesn’t mean Kodi is safe.

Or even good.

In other words, some users have found out that the Kodi software, in its current form, has a quite serious security flaw.

Kodi itself has a formidable number of impressive features.

They are not only great in quantity but also inequality.

Most users don’t know how to configure Kodi properly though.

And that can raise a lot of security issues for them.

What do we mean here?

Kodi isn’t just an open source media player.

It is a home theatre software application.

And because it has so many features to choose from, users sometimes forget how easy it is for hackers to take advantage of Kodi to hack their sensitive information.

For example, let’s take the case of a remote control feature that Kodi has offered since the beginning.

Using this feature, a Kodi user can easily and remotely manage his/her software via just a web interface.

In other words, Kodi users can control their Kodi setup that is installed on their computer machines or even a set-top box by only using a convenient and lean browser-based online interface from any other device.

They can use the interface from the same room if they want to.

And because of the way the web interface works, users can also access and manage their Kodi device from any place in the world.

They just need to have a computer machine.

And of course, an internet connection.

Now, granted the earlier versions of Kodi web interface didn’t look all that great.

But that version got the job done.

Users could easily use the web interface to customize their Kodi setup.

Needless to say, Kodi offered users a great feature.

But here is the real problem:

kodi web interface vulnerability

The web interface for XBMC is a nice feature. But only for those who know how to protect themselves.

Kodi users didn’t always password-protect their Kodi device’s web interface.

That usually means that any outsider can access their computer machine on which they have installed the Kodi setup.

All that “outsider” would need is the Kodi user’s IP address along with any web browser.

In fact, TorrentFreak reported that any able enough attacker could see a user’s Kodi setup via the web interface in a matter of seconds.

And he would only need to use a specialist search engine for that purpose

We have already mentioned that the old Kodi web-interface didn’t represent any more than a remote control for Kodi.

As with all things, Kodi developed into a totally different beast after 2015.

In late 2016, Kodi developers started to include the much more efficient and functional Chorus2 Kodi interface.

From 2016 onwards, Kodi came pre-installed with the Chorus 2 interface by default.

TorrentFreak managed to get a screenshot of the new interface as well.

And apparently, the one who took the screenshot of the Kodi setup, access another user’s Kodi setup directly from the internet.

In other words, the new Chorus2 Kodi web interface is still open to the internet.

We now also know that the Kodi web-interface acts like a web page in every possible way.

It allows any user who has access to a given Kodi user’s IP address to access that Kodi user’s setup.

Of course, anyone wanting access would have to make sure to append :8080 to the very end of the user’s IP address.

Readers should understand that this scenario is pretty similar to when someone accesses Google search engine not with Google.com but with the website’s IP address which is 216.58.216.142.

That doesn’t mean that Chorus2 is useless.

It is true that despite all its flaws it is still more comprehensive than Kodi’s previous web interface.

What does that mean for outsiders?

That means they can still potentially browse sensitive information including any Kodi user’s add-ons.

Of course, if the Kodi user has protected his/her Kodi setup with a password then they will find it hard to gain access.

Various media reports have revealed that many Kodi users don’t enable password protection in the appropriate Kodi sections.

So what’s the problem with someone else browsing someone’s else Kodi addons?

The world obviously has more engaging things to offer.

Well, here is the thing:

If a hacker has enough skill then things can really get spicier.

Decidedly.

How?

Not a lot of people know this but the Chorus 2 Kodi web interface allows both unauthorized and authorized Kodi users to go a lot further than just browsing.

Let’s take an example.

With the Chorus 2 interface, it is entirely possible to actually modify any Kodi system’s settings directly from the web interface.

Anyone wanting to take risks can achieve even more mischievous things.

They include,

  • Disabling the user’s keyboard
  • Disabling the Kodi user’s mouse

The Kodi system menu can also give away other important information such as system usernames.

kodi web interface vulnerable

The web interface for XBMC can cause XBMC users a lot of security issues.

Along with many other sensitive pieces of information.

So what?

Hackers already have plenty of ways to screw with people’s settings.

What’s so different about this Kodi setup?

It is true.

Most low-scale hackers hack people for pointless reasons.

But that still makes those hacks malicious.

The Kodi Chorus 2 web interface offers outsiders many more tricks in order to mess with the user’s Kodi setup.

If a Kodi user has video or audio content on his/her Kodi setup then in many cases attackers can access these and actually play them too directly from the web interface.

Of course, no one should blame Kodi users for keeping video and audio content on their Kodi setup.

Afterall, Kodi is an open source media player and that’s what it is supposed to do.

Play content.

Of all sorts.

To put it simpler terms, anyone with any Kodi user’s IP address can easily view the content of the Kodi user’s complete video library.

Not only that, they don’t even need to be close to the Kodi user in order to so.

As mentioned before, hackers can compromise any Kodi setup from even the farthest corners of the world.

And they don’t even need to employ sophisticated malicious code to do that.

All it takes is just a couple of online clicks and they are done.

You can easily find screenshots of Kodi users on the internet who hackers compromised.

These hackers also have the ability to grant themselves exclusive access to the Kodi user’s storage facilities.

These include the network’s storage components or the local disk.

Hackers can also browse the storage and reveal content such as movies.

Attackers can know everything, from drive names to the type of networks that Kodi user has connected to and any home video titles they might have in their Kodi library.

That doesn’t address the big question though.

In fact, let’s state the big question first.

The most crucial question that arises from all of this is can someone who has access to a Kodi setup view personal video remotely using nothing but the Chorus 2 web interface via a simple browser?

The answer to that question is an absolute yes.

Any attackers can simply click on each piece of content and Kodi will reveal a button related to the media.

It will actually show the user the button that he/she has to use to view the media.

The button is usually located in a bar that appears to the right of any content’s right side.

If one clicks on that button, it shows two other options.

  1. Download
  2. Queue in Kodi

The first option allows the user to play to store the content.

kodi web interface

The web interface for XBMC gives any user access to anything if there is no password protection.

As you can probably imagine, the attacker can simply perform that action from the remote browser.

The location of the attacker is irrelevant in this case since he/she is accessing content via a web interface.

The second option allows the user to play the content on the Kodi installation itself.

All the powerful web browsers available in the market today such as Mozilla Firefox and/or Google Chrome can perform this task effortlessly.

Some would think this is kind of fun.

Especially for an outsider.

Maybe it is even useful.

But it isn’t if it is your Kodi system that someone else has accessed for “fun”.

The simple fact is, no one like his/her system to be open to the whole internet.

There is some good news though.

What is that goods news?

If Kodi users want to, they can do something about it.

How?

The Kodi team has taken great pains to describe how Chorus 2 works.

Chorus 2 comes with a lot of benefits, says the Kodi team.

Then it goes on to describe the benefits of the web interface.

All of that is great.

What isn’t great is the number of Kodi users who for one reason or another don’t take the Kodi team’s advice when it tells them to introduce a unique and new password for their web interface.

There is a default username and password though.

And its “Kodi”.

Needless to say, that is a terrible password.

But it is the default password so what can one expect?

As far as online security goes, a password of that sort basically allows an outsider to just walk in and start browsing someone else’s Kodi setup.

That holds true only as long as the Kodi user doesn’t take the pains to set up a new and difficult password.

Kodi users who are making use of the open source media player must understand that this is a great time to fix those settings.

If a Kodi user does not use the web interface, then the best advice is to disable the feature.

If someone does, then the best thing to do in that case is to enable the password protection feature.

And then choose a strong password.

Moreover, it’s not like the Kodi team hasn’t done anything to warn users about how attackers can take advantage of the Chorus 2 interface.

Just recently, the hugely popular TVAddons website, a Kodi addon repository, published an article in which it warned Kodi users.

It warned Kodi users that if someone was still using jailbroken Apple TV 2 Kodi devices then they needed to download a fix as soon as possible.

The problem with the jailbroken Apple TV 2 Kodi device also had a lot to do with the default password.

As mentioned before, the default password issue is one issue that user can easily solve.

How?

By setting a stronger password.

And that is basically it.

They don’t need to do much more than that.

When TorrentFreak got hold of a TVaddons spokesperson, he said that Kodi users needed to realize that all Kodi boxes represented mini computers.

Hence they need to treat these mini computers, or Kodi boxes, as such.

In other words, when someone installed a Kodi build or followed a guide from an online but unreputable source, then that someone basically opened himself/herself to many many potential risks.

People normally don’t use Kodi boxes to handle any kind of sensitive data.

This is perhaps the reason why they are so confident in disregarding the potential risks that their network is exposed to when they don’t use adequate password protection.

Now For More Good News

Users who wanted to use Kodi on something other than their old consoles and/or desktop computers can now do so.

On their Xbox One.

Yes.

Kodi has finally given some attention to its roots and now all Xbox One users can install Kodi on their systems.

Kodi on Xbox One does come with some limitations though.

We all know that Kodi began its life not as Kodi but as XBMC or Xbox Media Center.

As mentioned earlier as well, Kodi is a home theater software.

And now users can access it from their Xbox One store.

This is the first time the Kodi team has developed a version of Kodi for the new generation gaming consoles.

The Kodi team made the announcement via a blog post on its official website.

The release is currently downloadable but is in the very early stages of its development.

And because of that, the Xbox One version of Kodi is missing quite a lot of that functionality that has made the PC version of this software so popular.

The missing features include,

  • No access to the Blu-ray drive that is found on the Xbox One
  • This version of Kodi can’t access any attached or external hard drive
  • Kodi can’t access anything beyond a certain portion of the official Xbox One music and video folders.
  • The network access is also limited to NFS:// type shares only.
  • Some users may not be able to use many other add-ons and plug-ins.
  • Some might not even work with the official Xbox One interface at the time of the announcement.

 

Zohair

Zohair

Zohair is currently a content crafter at Security Gladiators and has been involved in the technology industry for more than a decade. He is an engineer by training and, naturally, likes to help people solve their tech related problems. When he is not writing, he can usually be found practicing his free-kicks in the ground beside his house.
Zohair

COMMENTS

WORDPRESS: 0

Web Interface For Kodi: Is Someone Spying On Your Device?

by Zohair time to read: 9 min
0