There ain’t no such thing as a free show

By Haocheng Huang


Netflix has forever changed the way we consume television. Beginning in 1998 Netflix served as a DVD rental service, introduced the subscription model, moving away from single DVD rental. The idea was that the subscribers can rent as many DVDs as possible, without paying any extra costs or late fees. But it was 9 years later, Netflix began to change the landscape of digital media with the idea of “streaming”. Today, Netflix is a truly global phenomenon, people can access the same content across the world. There is also a problem, people that want to enjoy the content, but do not want to pay the subscription fee. Today, there is an entire market online for jailbroken and modified devices that are used to watch the same content for free. They come at a much cheaper price and some even offer free, unlimited access to shows that people normally have to pay a subscription fee for. These devices are very similar to Roku, or Fire TV Stick, you just need to plug it in the TV’s usb port and connect it to your wifi and now you can watch all the shows. However, after if the hardware isn’t laced with malware, the apps are. Since streaming is where consumers go to for their home entertainment in 2019, which means the malicious users are now targeting streaming as a place to exploit consumers. We will look into the Kodi software and identify the potential vulnerabilities within the application.

What is Kodi?

Kodi is an open-source media player software that allows users to view local media and to stream remote media such as videos, and music on PCs, set-top boxes, smartphones, and tablets. Today, Kodi has roughly over 12 million active users using the “TV-addons” to stream videos.

From the image above we can see that the Kodi software itself does not come with any pre-installed content. The Kodi box can be viewed as a brand new smartphone. It is up to the users to do what they want, whether is accessing both licensed or unlicensed content.


Today, Kodi boxes are mostly known for the term “fully loaded”. This means that the box is packed with unofficial Add-ons and Kodi software configured to access unlicensed content. These unofficial Add-ons could be associated with malware that will be added to your local machine once you install the add-ons. Kodi itself also has vulnerabilities, if you search Kodi on you can see the previous exploits. There is the “Kodi 17.0 Local File Inclusion” Vulnerability, which enables hackers to access a user’s content on a Kodi box, which includes personal photographs and videos and other media files. There is also the “Kodi Web Server 16.1” that enables a threat actor to launch an attack on Kodi boxes using a user’s network and bandwidth. Rather than trying to find and install a malware-infected add-on and see exactly what they are doing on my network, I decided to find vulnerabilities myself. Since we are learning about XSS in class, I want to see if any XSS vulnerabilities existed.

Since Kodi itself does not come with any pre-installed content, I want to keep this experiment away from any add-ons.The first place to look for a potential XSS vulnerability is to find opportunities to input. After using the Kodi application for an hour or so the only places that allows users to input a text string is through the “create playlist” and “upload file” sections. But none of these input sections contains any XSS vulnerabilities as expected due to the previous identified XSS vulnerability on version 17.6 (

But after reading through the Kodi wiki, I found out there is a web interface option to use the Kodi software. The web interface allows users to control and interact with their Kodi installation through a web browser.

Steps to Reproduce:

I Have found a Reflected XSS vulnerability in the web interface of

Kodi, that allows the execution of arbitrary HTML/script code to be

executed in the victim’s browsers. This vulnerability was tested with Windows 10 Pro and OSX operating systems.

  1. Set up Kodi Web interface
    1. Download and Install Kodi v18.4 “Leia”
    2. Go to Settings then Services then Control, and turn on Allow remote control via HTTP
  1. Open a web browser and type http://<device_ip_address&gt;:<port>
  2. Once you are in the web interface, on the bottom right corner you can see this   symbol. Click it and it will expand, click the “Send text to Kodi” option.

  1. An input bar will pop up, now just run your XSS command

Future work:

At this time, I have submitted a bug report to the Kodi Team via Github ( I will be following this ticket very closely to see if there are any updates. Even though many of the problems are involved with third-party software. I believe that the Kodi media player itself is very weak in security. When a page is compromised with cross-site scripting, a collection of issues can quickly emerge. Examples of this are: Exposure of sensitive data, redirecting web pages, upload malicious programs and more. I wish I was able to make more progress with this project within this time. But in the future, I will continue to explore Kodi and other similar media players. My next steps would be to learn more about XSS and to see how far you can go with the exploit I discovered. Also, it would be interesting if I can install a malware-infected add-on to see exactly what the software is doing on the network.


Many believed that the root of the problem is not Kodi, because Kodi is simply just a front end application. If Kodi is gone tomorrow, there will be other media players to take the place of Kodi. I believe the root of the problem starts with us: the consumers. It is natural for humans to get blinded by the word “free”. Often unaware of the risks, users of this software are baited into trying something they think is free or cheap but comes with a hidden cost: privacy.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s