Kodi fans have been warned about a vulnerability which leaves them exposed to complete strangers spying on them.
The Kodi surge continues without any sign of stopping, as users continue to ditch paid TV services for the online player.
Research has suggested Kodi – which offers access to thousands of channels – is being used in more than five million UK homes.
Kodi software is not illegal, but developers can produce third-party add-ons that provide free access to pirated and illegal content.
The illegal add-ons are being targeted by ISPs, government agencies, broadcasters and rights holders.
And now Kodi users are being warned that they could be at risk of having complete strangers spy on what they’re doing.
TorrentFreak reported that large numbers of Kodi users are running a setup which attackers can access with just a few simple tricks.
It all centres on the web browser-based remote control feature, which lets Kodi users manage their setup from anywhere in the world.
Thanks to the Chorus2 interface, which is included by default, users can tinker with their Kodi settings remotely using a browser on any device.
Users can look through add-ons, watch saved videos and change the settings of their Kodi setup installed on a computer or set top box.
However, this can be accessed by third-parties if a user does not choose a username and password during the set-up process.
When initially setting up the Kodi remote control feature, it’s only recommended that a username and password is entered – not mandatory.
Describing the security risk, TorrentFreak said: “For many years, Kodi has had a remote control feature, whereby the software can be remotely managed via a web interface.
“This means that you’re able to control your Kodi setup installed on a computer or set-top box using a convenient browser-based interface on another device, from the same room or indeed anywhere in the world.
“But while this is a great feature, people don’t always password-protect the web-interface, meaning that outsiders can access their Kodi setups, if they have that person’s IP address and a web-browser.”
TF also published an image of a UK-based Kodi user’s setup that was found within “seconds using a specialist search engine”.
They added that besides looking through a stranger’s add-on collection, an attacker could make changes to the Kodi system settings.
To play tricks on an unsuspecting user, inputs like keyboards or mouses could be disabled leaving people frustrated as to why they can’t access their set-ups.
And attackers who have an unprotected user’s IP address could also view the contents of the Kodi fan’s video library.
So, if you have any sensitive or embarrassing footage saved on your Kodi setup, it could be viewed by a stranger in another country with just a few clicks.
Explaining the risk, TorrentFreak said: “The big question is, however, whether someone accessing a Kodi setup remotely can view these videos via a web browser.
“Clicking through on each piece of media reveals a button to the right of its title.
“Clicking that reveals two options – ‘Queue in Kodi’ (to play on the installation itself) or ‘Download’, which plays/stores the content via a remote browser located anywhere in the world. Chrome works like a charm.”
Thankfully, protecting against this risk is quite straight forward.
If you haven’t set a username or password, which by default is ‘kodi’ for both fields, then now is the time to change it.
All you need to do is click the Settings button on the home screen, then go to Service Settings.
Click the Control button on the left hand side of that screen, and then in username and password choose your desired login.
Alternatively, you can turn off the remote control web interface if you’d rather not use this feature.