Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Communications Media Network Piracy Privacy The Internet

Warning: 'MetalKettle' Repository For Kodi Becomes Vulnerable After GitHub Takeover (betanews.com) 28

BrianFagioli shares a report from BetaNews: Unfortunately, there can apparently be security issues with repositories when they shut down. For example, when the metalkettle repo ended, the developer deleted its entry on GitHub. This in itself is not a cause for concern, but unfortunately, GitHub's allowance of project names to be recycled is. You see, someone re-registered the metalkettle name, making it possible for nefarious people to potentially serve up malware to Kodi users. The warning came from the metalkettle developer over on Twitter. He warns that devices with the repository installed could be in danger from a security standpoint. If a user was to search that repo, and the new owner of the GitHub name was to share malware, the user could assume it is safe and install it. We do not know 100 percent if the person that re-registered the metalkettle name on GitHub is planning anything evil, but it is better to be safe than sorry. If you still have the repository installed, you should remove it immediately. Not to mention, if you know someone using Kodi, such as a friend or family member, you should warn them too.
This discussion has been archived. No new comments can be posted.

Warning: 'MetalKettle' Repository For Kodi Becomes Vulnerable After GitHub Takeover

Comments Filter:
  • by bobstreo ( 1320787 ) on Friday September 15, 2017 @06:41PM (#55206703)

    With issues. The current advice is to disable automatic updates for everything for a few days until this gets sorted out.

    Allegedly Exodus is having problems as well

    Here's how to just remove MK:

    http://koditips.com/uninstall-... [koditips.com]

  • by Anonymous Coward on Friday September 15, 2017 @06:45PM (#55206715)

    Of course the fault here is not the reuse of the repository name, but trusting the repository implicitly in the first place. After all, both the repository and Kodi (whatever that is) would also be compromised if the account of anyone with push access was compromised, or if Github itself was compromised, for that matter.

  • Why Not (Score:5, Interesting)

    by sexconker ( 1179573 ) on Friday September 15, 2017 @06:48PM (#55206729)

    Repo manager posts a publickey in the repo. User is prompted to trust or distrust that public key when adding the repo, or whenever the repo's public key changes.

    Repo manager signs everything they add with the corresponding private key. Users automatically verify everything they download with a stored copy of public key.

    Someone who takes over the repo can't fuck users over without also getting the private key or convincing users to trust the new public key.

    • Public key? Trust? Keys changing? What the hell are you talking about man, I just want my toy to update!

      Sincerely
      The vast majority of users who have no idea if you were even speaking english in your post, let alone what a public key is or what it has to do with updating software.

      • Chrome extensions have been pretty much this for years. The user's never prompted to accept the key initially, but updates don't run unless the key matches. If you want to install a non-matching update you have to uninstall the old one first.

        I think that's a reasonable way to do it. The only time anyone other than the developer has to think about keys is if the developer loses control of their key.

  • by jon3k ( 691256 )
    Can someone explain what this is? I found this [kodireviews.com] but I don't really understand. Is this some addon to view pirated content? That article is from June 2017 but apparently the repo is already shutdown?
    • by tlhIngan ( 30335 )

      Can someone explain what this is? I found this but I don't really understand. Is this some addon to view pirated content? That article is from June 2017 but apparently the repo is already shutdown?

      Could be. The reason being that the Kodi devs are trying to get pirate Kodi boxes shut down because they're ruining the Kodi name (i.e., people are associating Kodi with pirated content). It's why the Kodi devs have been taking down pirate Kodi box sellers (who also pollute the official Kodi forums - the customer

  • Essentially run:

    git remote remove origin

    (it may have a different name if it was customized somehow)

    That way you can keep the repo and you won't pull something unwanted.

    • That way you can keep the repo and you won't pull something unwanted.

      Kodi won't remove stuff because you remove the repo, will it? Never has before but I might be a version or two behind now.

  • You ran the same risk with the old guy as you do with the new guy.

I just need enough to tide me over until I need more. -- Bill Hoest

Working...