[thorazine74]

It may be worth mentioning that it is also possible to "hi-jack" an addon simply by pushing an addon with the same ID as an existing one but with a higher version number (provided the user has your repo installed).

So theoretically a developer could push a rogue YouTube addon to their repo with a bumped version number, anyone with that repo and the official YouTube addon (from the org repo) would get their addon updated to the rogue addon (if they have auto updates on they might not even notice it).

This rogue addon could behave exactly the same as the official one, but under the hood could be doing anything it felt like; if it runs a service it wouldn't even need to be started, simply having it installed would be enough.

Couldn't this be easily fixed by disallowing automatic updates from a different repo than the one the addon was originally installed from by the user? If user wants to do a cross - repo update (i.e. For some addon that was abandoned and then reappeared in a different repo) it would have to be manually done by the user.
Or going even further, being able to mark whole repos as valid / not valid sources for automatic addon updates, all of the installed repo but the official one being marked as not auto-updatable by default, if the user activates auto update for a given repo, a warning should be given about this security issue...

[da-anda]

It may be worth mentioning that it is also possible to "hi-jack" an addon simply by pushing an addon with the same ID as an existing one but with a higher version number (provided the user has your repo installed).

So theoretically a developer could push a rogue YouTube addon to their repo with a bumped version number, anyone with that repo and the official YouTube addon (from the org repo) would get their addon updated to the rogue addon (if they have auto updates on they might not even notice it).

This rogue addon could behave exactly the same as the official one, but under the hood could be doing anything it felt like; if it runs a service it wouldn't even need to be started, simply having it installed would be enough.

Couldn't this be easily fixed by disallowing automatic updates from a different repo than the one the addon was originally installed from by the user? If user wants to do a cross - repo update (i.e. For some addon that was abandoned and then reappeared in a different repo) it would have to be manually done by the user.
Or going even further, being able to mark whole repos as valid / not valid sources for automatic addon updates, all of the installed repo but the official one being marked as not auto-updatable by default, if the user activates auto update for a given repo, a warning should be given about this security issue...

AFAIK this is already addressed in v17

[Lunatixz]

"Kodi is a power user's tool that is now within reach of everyone" is exactly the main issue, really, not python addons. You can see it everyday in the forums (at least on the Android side) that users are using Kodi with little to no knowledge on how a computer work.
On a properly secured computer, the worst an addon can do is trash your Kodi install, because Kodi is supposed to sandboxed. Taking Android, where each app is sandboxed, there is now way an addon could change your HOST file, for instance.

Python was maybe a poor choice as the addon language in the first place, but I hardly see it being replaced based on those concerns only. I heard MrMC has plans to implement javascript (because it's the builtin script language on tvOS), but I must say I don't see that leading anywhere....

Bottom-line:
- Should the "power users" be punished because "everyone" has no clue of what they're doing? I don't think so (anymore)...
- Should python be replaced by something else more secure? Surely, but assuming someone takes up the task, it will take years...
- Is it sane that Kodi is used by millions of computer-illiterate users? Probably not...

What a great way to sum up the recent plight of Kodi and it's users... Couldn't agree more.

It may be worth mentioning that it is also possible to "hi-jack" an addon simply by pushing an addon with the same ID as an existing one but with a higher version number (provided the user has your repo installed).

So theoretically a developer could push a rogue YouTube addon to their repo with a bumped version number, anyone with that repo and the official YouTube addon (from the org repo) would get their addon updated to the rogue addon (if they have auto updates on they might not even notice it).

This rogue addon could behave exactly the same as the official one, but under the hood could be doing anything it felt like; if it runs a service it wouldn't even need to be started, simply having it installed would be enough.

Couldn't this be easily fixed by disallowing automatic updates from a different repo than the one the addon was originally installed from by the user? If user wants to do a cross - repo update (i.e. For some addon that was abandoned and then reappeared in a different repo) it would have to be manually done by the user.
Or going even further, being able to mark whole repos as valid / not valid sources for automatic addon updates, all of the installed repo but the official one being marked as not auto-updatable by default, if the user activates auto update for a given repo, a warning should be given about this security issue...

AFAIK this is already addressed in v17

This is awesome news... do you know the PR? I'd to see how it works...

[da-anda]

I at least assume this PR does somewhat address it https://github.com/xbmc/xbmc/pull/9643

[spoyser]

I at least assume this PR does somewhat address it https://github.com/xbmc/xbmc/pull/9643

What happens in the case of auto updating?

[da-anda]

no idea actually, waiting for reply. I'll keep you posted

[primaeval]

A very positive development: noobsandnerds have released "Security Shield" which flags up user reported dangerous addons.
http://www.noobsandnerds.com/addons/show...ityshield/

Here is the post that describes the threat and solution:
http://http://noobsandnerds.com/latest/?p=3779



/trolling off

[spoyser]

A very positive development: noobsandnerds have released "Security Shield" which flags up user reported dangerous addons.
http://www.noobsandnerds.com/addons/show...ityshield/

Here is the post that describes the threat and solution:
http://http://noobsandnerds.com/latest/?p=3779



/trolling off

Far from positive IMO

NaN are hardly a trustable source, their blog regarding this addon seems to be just scaremongering, what Lee has posted sounds very dubious to say the least, and is just adding fuel to the fire.

Apparently he was told by a concerned user that a repo had been hijacked, which then deleted his (not the concerned users) system, but apparently the repo isn't even in the public domain, so how did the concerned user get the "hijacked version"?? And the culprit even went to the all trouble of masking the source of the repo?? Do me a favour!!

That addon simply flags up anything they want to bad mouth! Is that want you want to base your systems security on?

[primaeval]

A very positive development: noobsandnerds have released "Security Shield" which flags up user reported dangerous addons.
http://www.noobsandnerds.com/addons/show...ityshield/

Here is the post that describes the threat and solution:
http://http://noobsandnerds.com/latest/?p=3779



/trolling off

Far from positive IMO

NaN are hardly a trustable source, their blog regarding this addon seems to be just scaremongering, what Lee has posted sounds very dubious to say the least, and is just adding fuel to the fire.

Apparently he was told by a concerned user that a repo had been hijacked, which then deleted his (not the concerned users) system, but apparently the repo isn't even in the public domain, so how did the concerned user get the "hijacked version"?? And the culprit even went to the all trouble of masking the source of the repo?? Do me a favour!!

That addon simply flags up anything they want to bad mouth! Is that want you want to base your systems security on?

It may not be perfect but at least he is doing something. I would rather have a false positive than nothing.

[misa]

A very positive development: noobsandnerds have released "Security Shield" which flags up user reported dangerous addons.
http://www.noobsandnerds.com/addons/show...ityshield/

Here is the post that describes the threat and solution:
http://http://noobsandnerds.com/latest/?p=3779



/trolling off

Far from positive IMO

NaN are hardly a trustable source, their blog regarding this addon seems to be just scaremongering, what Lee has posted sounds very dubious to say the least, and is just adding fuel to the fire.

Apparently he was told by a concerned user that a repo had been hijacked, which then deleted his (not the concerned users) system, but apparently the repo isn't even in the public domain, so how did the concerned user get the "hijacked version"?? And the culprit even went to the all trouble of masking the source of the repo?? Do me a favour!!

That addon simply flags up anything they want to bad mouth! Is that want you want to base your systems security on?

It may not be perfect but at least he is doing something. I would rather have a false positive than nothing.

Nah, he is just putting oil on the fire with this shitty script

[primaeval]

Far from positive IMO

NaN are hardly a trustable source, their blog regarding this addon seems to be just scaremongering, what Lee has posted sounds very dubious to say the least, and is just adding fuel to the fire.

Apparently he was told by a concerned user that a repo had been hijacked, which then deleted his (not the concerned users) system, but apparently the repo isn't even in the public domain, so how did the concerned user get the "hijacked version"?? And the culprit even went to the all trouble of masking the source of the repo?? Do me a favour!!

That addon simply flags up anything they want to bad mouth! Is that want you want to base your systems security on?

It may not be perfect but at least he is doing something. I would rather have a false positive than nothing.

Nah, he is just putting oil on the fire with this shitty script

And your solution is?

[tadly]

Let's add a setup quiz to Kodi (one you can NOT skip) which determines how intelligent the user is.
Depending on his score, he'll be allowed more or less settings (including to add 3rd-party stuff)

[h.udo]

^^ This!

[primaeval]

Let's add a setup quiz to Kodi (one you can NOT skip) which determines how intelligent the user is.
Depending on his score, he'll be allowed more or less settings (including to add 3rd-party stuff)

The new setting to disable third party repos by default is a good start.

Effectively calling your users idiots might not go down well with Kodi's sponsors.

[tadly]

The new setting to disable third party repos by default is a good start.

Effectively calling your users idiots might not go down well with Kodi's sponsors.

I love it when people put words in my mouth :) (thanks for that)

Just to be clear. This "suggestion" of mine was just a joke.
As it was mentioned a few times already, if users stick to the official repo, there's nothing to worry about.

If a user buys one of those fancy, with crap loaded boxes it's there own fault for not informing themselves properly first. (There's no excuse imo)
Oh, and as everyone should know already, this ^ is something we already address as good as we can.