Slashdot Mirror

← Back to Stories (view on slashdot.org)

Warning: 'MetalKettle' Repository For Kodi Becomes Vulnerable After GitHub Takeover (betanews.com)

Posted by BeauHD on from the public-service-announcement dept.

BrianFagioli shares a report from BetaNews: Unfortunately, there can apparently be security issues with repositories when they shut down. For example, when the metalkettle repo ended, the developer deleted its entry on GitHub. This in itself is not a cause for concern, but unfortunately, GitHub's allowance of project names to be recycled is. You see, someone re-registered the metalkettle name, making it possible for nefarious people to potentially serve up malware to Kodi users. The warning came from the metalkettle developer over on Twitter. He warns that devices with the repository installed could be in danger from a security standpoint. If a user was to search that repo, and the new owner of the GitHub name was to share malware, the user could assume it is safe and install it. We do not know 100 percent if the person that re-registered the metalkettle name on GitHub is planning anything evil, but it is better to be safe than sorry. If you still have the repository installed, you should remove it immediately. Not to mention, if you know someone using Kodi, such as a friend or family member, you should warn them too.

3 of 28 comments (clear)

  1. There are some other repos by bobstreo · · Score: 4, Informative

    With issues. The current advice is to disable automatic updates for everything for a few days until this gets sorted out.

    Allegedly Exodus is having problems as well

    Here's how to just remove MK:

    http://koditips.com/uninstall-...

  2. Re:May I be the first to point out the obvious? by dgatwood · · Score: 3, Informative

    This. Trusting even a first-party server is a flaw, much less a third-party server. If it is possible to significantly harm users by replacing official data with malicious data, that data should be signed, and the app should refuse to accept data that is not signed properly.

    --

    Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. Re:Does it seem... by OverlordQ · · Score: 4, Informative

    > That uniqueness should be based on the project name AND the userid of the owner?

    It is. The idiot maintainer deleted his entire github account instead of just leaving it blank with no repos.

    --
    Your hair look like poop, Bob! - Wanker.