Formerly known as XBMC, the popularity of the entirely legal Kodi media player has soared in recent years.
Controversial third-party addons that provide access to infringing content have thrust Kodi into the mainstream and the product is now a household name.
Until recently, TVAddons.ag was the leading repository for these addons. During March, the platform had 40 million unique users connected to the site’s servers, together transferring an astounding petabyte of addons and updates.
Everything was going well until news broke last month that the people behind TVAddons were being sued in a federal court in Texas. Shortly after the site went dark and hasn’t been back since.
This was initially a nuisance to the millions of Kodi devices that relied on TVAddons for their addons and updates. With the site gone, none were forthcoming. However, the scene recovered relatively quickly and for users who know what they’re doing, addons are now available from elsewhere.
That being said, something very unusual happened this week. Out of the blue, several key TVAddons domains were transferred to a Canadian law firm. TVAddons, who have effectively disappeared, made no comment. The lawyer involved, Daniel Drapeau, ignored requests for an explanation.
While that’s unusual enough, there’s a bigger issue at play here for millions of former TVAddons users who haven’t yet wiped their devices or upgraded them to work with other repositories.
Without going into huge technical detail, any user of an augmented Kodi device that relied on TVAddons domains (TVAddons.ag, Offshoregit.com) for updates can be reasonably confident that the domains their device is now accessing are not controlled by TVAddons anymore. That is not good news.
When a user installs a Kodi addon or obtains an update, the whole system is based on human trust. People are told about a trustworthy source (repository or ‘repo’) and they feel happy getting their addons and updates from it.
However, any person in control of a repo can make a Kodi addon available that can do pretty much anything. When that’s getting free movies, people tend to be happy, but when that’s making a botnet out of set-top boxes, enthusiasm tends to wane a bit.
If the penny hasn’t yet dropped, consider this.
TVAddons’ domains are now being run by a law firm which refuses to answer questions but has the power to do whatever it likes with them, within the law of course. Currently, the domains are lying dormant and aren’t doing anything nefarious, but if that position changes, millions of people will have absolutely no idea anything is wrong.
TorrentFreak spoke to Kodi Project Manager Nathan Betzen who agrees that the current security situation probably isn’t what former TVAddons users had in mind.
“These are unsandboxed Python addons. The person [in control of] the repo could do whatever they wanted. You guys wrote about the addon that created a DDoS event,” Betzen says.
“If some malware author wanted, he could easily install a watcher that reports back the user’s IP address and everything they were doing in Kodi. If the law firm is actually an anti-piracy group, that seems like the likeliest thing I can think of,” he adds.
While nothing can be ruled out, it seems more likely that the law firm in question has taken control of TVAddons’ domains in order to put them out of action, potentially as part of a settlement in the Dish Network lawsuit. However, since it refuses to answer any questions, everything is open to speculation.
Another possibility is that the domains are being held pending sale, which then raises questions over who the buyer might be and what their intentions are. The bottom line is we simply do not know and since nobody is talking, it might be prudent to consider the worst case scenario.
“If it’s just a holding group, then people [in control of the domain/repo] could do whatever they can think of. Want a few million incredibly inefficient bit mining boxes?” Betzen speculates.
While this scenario is certainly a possibility, one would at least like to think of it as unlikely. That being said, plenty of Internet security fails can be attributed to people simply hoping for the best when things go bad. That rarely works.
On the plus side, Betzen says that since Python code is usually pretty easy to read, any nefarious action could be spotted by vigilant members of the community fairly quickly. However, Martijn Kaijser from Team Kodi warns that it’s possible to ship precompiled Python code instead of the readable versions.
“You can’t even see what’s in the Python files and what they do,” he notes.
Finally, there’s a possibility that TVAddons may be considering some kind of comeback. Earlier this week a new domain – TVAddons.co – was freshly registered, just after the old domains shifted to the law firm. At this stage, however, nothing is known about the site’s plans.