Project

General

Profile

Clicking on Facebook ad controls Kodi through Yatse

Added by Davor 22 days ago

This may sound crazy but I witnessed something yesterday that freaked me out. It also made me concerned for security of Yatse Android remote control app.

We use Kodi for live TV. We were watching live TV, just simply watching a channel. My wife was browsing Facebook on Chrome on her Android phone (she removed the Facebook app). As she was browsing, there was a sponsored ad for AliExpress Shopping App. In the ad there was a button for "Shoppen". She clicked on that button and the playback of the live TV stopped. It was equivalent to clicking stop on the remote control or clicking stop button on any iPhone, Android or other remote control app (such as Yatse).

I was able to repeat this every time with this particular ad (AliExpress Shopping App ad on Facebook). I have recorded a video of this occurring. You will see that I click on the button while TV is playing, Playing stops and goes back to the TV guide, which happens if you normally stop playback of a channel after you clicked on the channel in the TV guide.

My wife's phone has the Yatse app installed. I figure that's the way that clicking on the button in the ad caused Kodi to stop playing the live TV stream. So I went into Yatse, removed Kodi from the list of devices and repeated the test. As I suspected, nothing happened when clicking the button in the ad. So obviously clicking on the button in the ad was somehow sending a signal through Yatse to stop playing the live TV stream to Kodi. I did notice that clicking on the button should open a pop-up but her Chrome settings prevent pop-ups. Besides the pop-up, nothing else seems to happen when clicking the button. You can see this in the video.

So can anyone explain what is going on? It is obvious that somehow Yatse gets activated and sends a stop stream signal to Kodi when clicking on the button in the ad. But that should not be allowed to happen, unless I am missing something. Is this an Android security issue or Yatse app issue or Facebook ad issue or some combination of both? This really freaked me out. This means having Yatse installed on the Android phone could allow anyone to control Kodi through web pages, intentionally or unintentionally.

See video of this issue here: https://youtu.be/3vr8dyhR6To


Replies (3)

RE: Clicking on Facebook ad controls Kodi through Yatse - Added by Tolriq 22 days ago

Well Yatse registers as possible http handler.

At some point you shared those http links via Yatse and either have checked the remember option or the OS have done it for you.

Yatse does not send a stop, it send the url to Kodi as if you share any urls via Yatse.

You can reset Android association in Android settings and disable Yatse sharing functions.

RE: Clicking on Facebook ad controls Kodi through Yatse - Added by Davor 20 days ago

Ok, thank you. But why does Kodi stop playing the stream if it is sent the URL? Should it not be a very specific command? I am expecting Kodi to ignore random URLs or commands sent by Yatse or any other software on the network.

RE: Clicking on Facebook ad controls Kodi through Yatse - Added by Tolriq 20 days ago

Well it's a player, you ask it to play something, obviously it plays it. But can't so fails and you have a stop as a result.

    (1-3/3)
    Go to top