+- Kodi Community Forum (https://forum.kodi.tv)
+-- Forum: Discussions (https://forum.kodi.tv/forumdisplay.php?fid=222)
+--- Forum: Kodi related discussions (https://forum.kodi.tv/forumdisplay.php?fid=6)
+--- Thread: Github repo resurrection security issue (/showthread.php?tid=321661)
Github repo resurrection security issue - primaeval - 2017-09-17
This week saw some big name addons resurrected by a flaw in Github that allows anyone to take over a deleted account.
Anyone who hadn't deleted the repo from their Kodi device would pull in the new addons which could potentially be malicious.
A user on Slashdot suggested this could be prevented by signing the repo with a private key.
https://it.slashdot.org/comments.pl?sid=11121577&cid=55206729
Would this need some support from Kodi core?
Please no comments about it's the users own fault for not limiting themselves to the main Kodi repo.
There are many addons out there from devs that just haven't got the spare time to polish their addons for the Kodi repo.
RE: Github repo resurrection security issue - Martijn - 2017-09-17
Yes it would need kodi support for utilising a signing key
RE: Github repo resurrection security issue - rmrector - 2017-09-17
This isn't just a GitHub thing but can happen any time an add-on developer relinquishes control of the repo URL without preparing the repo. A good way that add-on developers can protect users from this when retiring a Kodi add-on repo is to:
- mark the repo add-on as broken in its repo
- remove all other add-ons so that there is no reason for users to keep the repo installed and enabled anyway
- wait for that to propagate to your users so that Kodi prompts them to disable it
- at least 2 weeks will catch a good chunk of your users, but at least a month is better
- even longer is best, to catch any old devices that may still come online, and the longer the original is there but empty the fewer users it will have and it will be a less useful target for malicious purposes
- at least 2 weeks will catch a good chunk of your users, but at least a month is better
- then you can remove it from GitHub or wherever
This gives users a warning directly in Kodi that they then ignore at their own peril.
Signing the repo is a good idea, but this is something every repo maintainer can already do, and should do before relinquishing control. Even after signing, it will be best to explicitly shut down the repo rather than disappearing and leaving a 404 or connection errors, as Kodi cannot automatically determine if these are a temporary outage and should try again later, or an intentional shut down and shouldn't.
RE: Github repo resurrection security issue - primaeval - 2017-09-18
Good advice @rmrector. It is not just Github.
I had a very scary experience with Telegram the other day. I signed up with a phone number that had been recycled and got full access to someone else's account including contact list and all their encrypted messages.
There must be lots of these services that use phone verification that are potentially open to abuse: Twitter, Facebook, Google.
I signed up again with another number and made sure I added a two factor authentication password. I still don't trust their security.