A removed and nonactive third-party Kodi repository has become vulnerable after an outsider re-registered the GitHub account of its developer. Former Kodi-addon developer MetalKettle urges people to delete his repository, stating that it’s no longer safe.
A few weeks ago MetalKettle, one of the most famous Kodi addon developers of recent times, decided to call it quits.
Worried about potential legal risks, he saw no other option than to halt all development of third-party Kodi addons.
Two months before this announcement, the developer proceeded to remove the GitHub account which was used to distribute his addons. However, he didn’t realize that this might not have been the best decision.
As it turns out, GitHub allows outsiders to re-register names of deleted accounts. While this might not be a problem in most cases, it can be disastrous when the accounts are connected to Kodi add-ons that are constantly pinging for new updates.
In essence, it means that the person who registered the Github account can load content onto the boxes of people who still have the MetalKettle repo installed. Quite a dangerous prospect, something MetalKettle realizes as well.
“Someone has re-registered metalkettle on github. So in theory could pollute any devices with the repo still installed,” he warned on Twitter.
“Warning : if any users have a metalkettle repo installed on their systems or within a build – please delete ASAP,” he added.
The real MetalKettle, meanwhile, was contacted by TVAddons regarding the situation and they have placed the repository on their Indigo blacklist of banned software. This effectively disables the repository on devices with Indigo installed.
GitHub on their turn may want to reconsider their removal policy. Perhaps it’s smarter to not make old usernames available for registration, at least not for a while, as it’s clearly a vulnerability.
This is also shown by another Kodi repo controversy that appeared earlier today. Another GitHub account that was reportedly deleted earlier, resurfaced today pushing a new version of the Exodus addon and other sources.
According to some, the GitHub account is operated by the original Exodus developers and perfectly safe, but others warn that the name was reregistered in bad faith.
The Mixdoctor Team Member of koditalk.org