Github repo resurrection security issue
primaeval
Posting Freak
Posts: 3,101
#1
2017-09-17, 19:52
This week saw some big name addons resurrected by a flaw in Github that allows anyone to take over a deleted account.
Anyone who hadn't deleted the repo from their Kodi device would pull in the new addons which could potentially be malicious.

A user on Slashdot suggested this could be prevented by signing the repo with a private key.
https://it.slashdot.org/comments.pl?sid=...d=55206729

Would this need some support from Kodi core?

Please no comments about it's the users own fault for not limiting themselves to the main Kodi repo.
There are many addons out there from devs that just haven't got the spare time to polish their addons for the Kodi repo.
https://github.com/primaeval
Find
Reply
Martijn
Team Kodi
Posts: 17,859
#2
2017-09-17, 19:54
Yes it would need kodi support for utilising a signing key
Read/follow the forum rules.
For troubleshooting and bug reporting, read this first
Interested in seeing some YouTube videos about Kodi? Go here and subscribe
Find
Reply
rmrector
Team-Kodi Member
Posts: 623
#3
2017-09-17, 23:12
This isn't just a GitHub thing but can happen any time an add-on developer relinquishes control of the repo URL without preparing the repo. A good way that add-on developers can protect users from this when retiring a Kodi add-on repo is to:
  1. mark the repo add-on as broken in its repo
  2. remove all other add-ons so that there is no reason for users to keep the repo installed and enabled anyway
  3. wait for that to propagate to your users so that Kodi prompts them to disable it
    • at least 2 weeks will catch a good chunk of your users, but at least a month is better
    • even longer is best, to catch any old devices that may still come online, and the longer the original is there but empty the fewer users it will have and it will be a less useful target for malicious purposes
  4. then you can remove it from GitHub or wherever

This gives users a warning directly in Kodi that they then ignore at their own peril.

Signing the repo is a good idea, but this is something every repo maintainer can already do, and should do before relinquishing control. Even after signing, it will be best to explicitly shut down the repo rather than disappearing and leaving a 404 or connection errors, as Kodi cannot automatically determine if these are a temporary outage and should try again later, or an intentional shut down and shouldn't.
I have my fingers in many Pys: Artwork Dump, Play Random Videos, Stinger scene notification, Devhelper webdev Kodi repo
Find
Reply
primaeval
Posting Freak
Posts: 3,101
#4
2017-09-18, 10:59
Good advice @rmrector. It is not just Github.

I had a very scary experience with Telegram the other day. I signed up with a phone number that had been recycled and got full access to someone else's account including contact list and all their encrypted messages.

There must be lots of these services that use phone verification that are potentially open to abuse: Twitter, Facebook, Google.

I signed up again with another number and made sure I added a two factor authentication password. I still don't trust their security.
https://github.com/primaeval
Find
Reply

Home
Search
Help
Logout Mark Read Team Forum Stats Members Help
Github repo resurrection security issue0