Kodi fans have been warned about a vulnerability which leaves them exposed to complete strangers spying on them.
The Kodi surge continues without any sign of stopping, as users continue to ditch paid TV services for the online player.
Research has suggested Kodi – which offers access to thousands of channels – is being used in more than five million UK homes.
Kodi software is not illegal, but developers can produce third-party add-ons that provide free access to pirated and illegal content.
The illegal add-ons are being targeted by ISPs, government agencies, broadcasters and rights holders.
And now Kodi users are being warned that they could be at risk of having complete strangers spy on what they’re doing.
TorrentFreak reported that large numbers of Kodi users are running a setup which attackers can access with just a few simple tricks.
It all centres on the web browser-based remote control feature, which lets Kodi users manage their setup from anywhere in the world.
Thanks to the Chorus2 interface, which is included by default, users can tinker with their Kodi settings remotely using a browser on any device.
Users can look through add-ons, watch saved videos and change the settings of their Kodi setup installed on a computer or set top box.
However, this can be accessed by third-parties if a user does not choose a username and password during the set-up process.
When initially setting up the Kodi remote control feature, it’s only recommended that a username and password is entered – not mandatory.
Describing the security risk, TorrentFreak said: “For many years, Kodi has had a remote control feature, whereby the software can be remotely managed via a web interface.
“This means that you’re able to control your Kodi setup installed on a computer or set-top box using a convenient browser-based interface on another device, from the same room or indeed anywhere in the world.
“But while this is a great feature, people don’t always password-protect the web-interface, meaning that outsiders can access their Kodi setups, if they have that person’s IP address and a web-browser.”
TF also published an image of a UK-based Kodi user’s setup that was found within “seconds using a specialist search engine”.
They added that besides looking through a stranger’s add-on collection, an attacker could make changes to the Kodi system settings.
To play tricks on an unsuspecting user, inputs like keyboards or mouses could be disabled leaving people frustrated as…