Slashdot Mirror

← Back to Stories (view on slashdot.org)

Warning: 'MetalKettle' Repository For Kodi Becomes Vulnerable After GitHub Takeover (betanews.com)

Posted by BeauHD on from the public-service-announcement dept.

BrianFagioli shares a report from BetaNews: Unfortunately, there can apparently be security issues with repositories when they shut down. For example, when the metalkettle repo ended, the developer deleted its entry on GitHub. This in itself is not a cause for concern, but unfortunately, GitHub's allowance of project names to be recycled is. You see, someone re-registered the metalkettle name, making it possible for nefarious people to potentially serve up malware to Kodi users. The warning came from the metalkettle developer over on Twitter. He warns that devices with the repository installed could be in danger from a security standpoint. If a user was to search that repo, and the new owner of the GitHub name was to share malware, the user could assume it is safe and install it. We do not know 100 percent if the person that re-registered the metalkettle name on GitHub is planning anything evil, but it is better to be safe than sorry. If you still have the repository installed, you should remove it immediately. Not to mention, if you know someone using Kodi, such as a friend or family member, you should warn them too.

28 comments

  1. Does it seem... by Anonymous Coward · · Score: 0

    That uniqueness should be based on the project name AND the userid of the owner?

    That way, if a new project was made with the same name, but a different owner, the system would not be confused.

    Simpler yet, just use the project name as a tag and determine uniqueness on an internally generated project id

    c'mon is this the level of development that is common to all github projects?

    1. Re:Does it seem... by OverlordQ · · Score: 4, Informative

      > That uniqueness should be based on the project name AND the userid of the owner?

      It is. The idiot maintainer deleted his entire github account instead of just leaving it blank with no repos.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:Does it seem... by Nemyst · · Score: 3, Insightful

      Much as that'd have avoided it, I don't think it's fair to call the maintainer "idiot" for what's essentially a problem with the way Github handles project names and URLs. He's no longer maintaining it and he should be able to do whatever the fuck he wants with the account without having to worry about stupid consequences like this.

    3. Re: Does it seem... by hackwrench · · Score: 1

      He did do whatever he wanted. That's the problem. He effectively killed himself on GitHub.

    4. Re:Does it seem... by someone1234 · · Score: 2

      You can't just do whatever you want without having to worry about consequences. If you drop off a bridge, gravity will take care of you.

      --
      Patents Drive Free Software as Hurricanes Drive Construction Industry
    5. Re: Does it seem... by Anonymous Coward · · Score: 0

      Don't forget the poor dude that has to scrape your body off the pavement after. There are consequences for others too.

  2. There are some other repos by bobstreo · · Score: 4, Informative

    With issues. The current advice is to disable automatic updates for everything for a few days until this gets sorted out.

    Allegedly Exodus is having problems as well

    Here's how to just remove MK:

    http://koditips.com/uninstall-...

  3. wtf is this by Anonymous Coward · · Score: 0

    What's a metalkettle or a kodi and why should i care?

    1. Re:wtf is this by Anonymous Coward · · Score: 0

      nothing. carry on.

  4. May I be the first to point out the obvious? by Anonymous Coward · · Score: 4, Insightful

    Of course the fault here is not the reuse of the repository name, but trusting the repository implicitly in the first place. After all, both the repository and Kodi (whatever that is) would also be compromised if the account of anyone with push access was compromised, or if Github itself was compromised, for that matter.

    1. Re:May I be the first to point out the obvious? by dgatwood · · Score: 3, Informative

      This. Trusting even a first-party server is a flaw, much less a third-party server. If it is possible to significantly harm users by replacing official data with malicious data, that data should be signed, and the app should refuse to accept data that is not signed properly.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  5. Cloud computing by Anonymous Coward · · Score: 0

    This is classic security flaw in the cloud computing paradigm, where one depends on the security of other peoples' computers on the internet. The whole idea of "automatic updates" shares this flaw.

    1. Re:Cloud computing by Anonymous Coward · · Score: 0

      This whole trend drives me nuts. Why in the world can't anyone who depends on cloudy repositories to make their builds see that kind of thing coming?

      It is way too easy for someone to pick up their marbles and walk away. Having an imposter slip himself or herself into a deleted name is one thing, but more likely is having a needed repository going away unexpectedly.

      I wonder how much of this "I'm not going to maintain this any more so I'm going to take it down" mentality comes from people who buy into the putative right to be forgotten. "I'm taking my project down and that means that everybody can forget they ever heard about it."

  6. Why Not by sexconker · · Score: 4, Interesting

    Repo manager posts a publickey in the repo. User is prompted to trust or distrust that public key when adding the repo, or whenever the repo's public key changes.

    Repo manager signs everything they add with the corresponding private key. Users automatically verify everything they download with a stored copy of public key.

    Someone who takes over the repo can't fuck users over without also getting the private key or convincing users to trust the new public key.

    1. Re:Why Not by thegarbz · · Score: 1

      Public key? Trust? Keys changing? What the hell are you talking about man, I just want my toy to update!

      Sincerely
      The vast majority of users who have no idea if you were even speaking english in your post, let alone what a public key is or what it has to do with updating software.

    2. Re:Why Not by Anonymous Coward · · Score: 0

      GP is describing implementation. The vat majority of people would be users, not implementors, and wouldn't need to to care about how it's done - a user prompt wouldn't need to mention those words you dislike at all. All that matters is the problem would be solved in an effective and user-friendly manner.

    3. Re:Why Not by wolrahnaes · · Score: 1

      Chrome extensions have been pretty much this for years. The user's never prompted to accept the key initially, but updates don't run unless the key matches. If you want to install a non-matching update you have to uninstall the old one first.

      I think that's a reasonable way to do it. The only time anyone other than the developer has to think about keys is if the developer loses control of their key.

      --
      I used to get high on life, but I developed a tolerance. Now I need something stronger.
  7. What? by jon3k · · Score: 1

    Can someone explain what this is? I found this but I don't really understand. Is this some addon to view pirated content? That article is from June 2017 but apparently the repo is already shutdown?

    1. Re:What? by tlhIngan · · Score: 1

      Can someone explain what this is? I found this but I don't really understand. Is this some addon to view pirated content? That article is from June 2017 but apparently the repo is already shutdown?

      Could be. The reason being that the Kodi devs are trying to get pirate Kodi boxes shut down because they're ruining the Kodi name (i.e., people are associating Kodi with pirated content). It's why the Kodi devs have been taking down pirate Kodi box sellers (who also pollute the official Kodi forums - the customers find the plugins stop working then go to the forums and complain).

      LIkely the Metal Kettle folks decided it wouldn't be a good idea for the longevity of the Kodi project (the devs are considering quitting - they want to work on the best damn media player on the planet, but not one that's associated heavily with pirates and "stolen" content.

      And hopefully it'll put a few of those pirate box sellers out of business.

    2. Re: What? by Anonymous Coward · · Score: 0

      Without that pirated content, kodi is a dead end. The fact that they ignore this is hilarious.'they really think kodi can stand on its own. Hint: it can't.

    3. Re: What? by jon3k · · Score: 1

      I use Kodi without any of these pirate plugin things. I have no idea how they even work. And apparently they get shut down in a matter of weeks, anyway.

    4. Re: What? by Anonymous Coward · · Score: 0

      XMBC/Kodi got along fine without all the idiots before hand,don`t worry, those of us that have a clue do just fine.

  8. Code and package signing by Anonymous Coward · · Score: 0

    It's not that hard. Microsoft's Authenticode has been doing it for over a decade. Same with Apple's solution. Debian's apt repository indexes have been signed for just as long with a totally different application stack. Figure it out.

  9. Registered Trademark? by Anonymous Coward · · Score: 0

    Simple enough to solve if the author did the right thing.

  10. You could just delete 'origin' by juancn · · Score: 1
    Essentially run:

    git remote remove origin

    (it may have a different name if it was customized somehow)

    That way you can keep the repo and you won't pull something unwanted.

    1. Re:You could just delete 'origin' by drinkypoo · · Score: 1

      That way you can keep the repo and you won't pull something unwanted.

      Kodi won't remove stuff because you remove the repo, will it? Never has before but I might be a version or two behind now.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  11. like fucking duh totes by Anonymous Coward · · Score: 0

    don't pirate. duh.

  12. Trust by hackwrench · · Score: 1

    You ran the same risk with the old guy as you do with the new guy.