Kodi is one of the most popular multimedia centers today thanks to how versatile and powerful it can be. So popular that many have taken advantage of its advantages to sell multimedia boxes that give access to all types of content, something that has left them as a new objective of the audiovisual industry.
The application formerly known as XBMC is installed on millions of computers, but many people do not correctly configure the security of their installation, specifically the Chorus2 remote access interface.
Chorus2 lets you access all the content you have in your multimedia center through a web interface in the browser, it also works as a remote control, that is let you control the content you have in a Kodi installation on any other device.
The problem with this is that Chorus2’s default configuration is incredibly insecure and if the user does not add a password, anyone with access to a browser and the user’s IP can look at all the content.
In TorrentFreak they explain how it is possible to access a user’s library in seconds through a specialized search engine.
The Kodi web interface acts exactly like a web page, allowing anyone with the user’s IP address and adding: 8080 to the end of the URL, to access the library.
The third party can also access the addons, including accessing system settings, from where you can see user names, or do things like disable the keyboard and mouse.
Chorus2 is not even a plugin that must be installed separately, that was the case with the old Chorus. When you install the latest version of Kodi available on the official website or in the Windows store, you are ready to access the web interface by simply activating the remote control via HTTP in the settings .
All your content exposed on the web just for not changing the default password
The Kodi web interface also allows you to obviously play all the content, or download it. This includes any music or video folder that you have associated with your Kodi installation, meaning that a stranger anywhere in the world who knows your IP can download your private videos from your browser.
The Kodi team explains in its Chorus2 usage guide how the default port number is 8080, and to access the library on the same computer just open the URL http: // localhost: 8080 /. While to do it from another computer just write your IP address in any browser followed by: 8080.
Although they recommend changing the username and password by default (both are “kodi”), many users do not, and that is where the main problem lies.
One part is the user’s fault for not being careful with their devices, and the other perhaps by Kodi, for not making an interface to test loose or clueless users and leave them vulnerable.