Forum Discussion

roquoonewbie's avatar
roquoonewbie
Visitor
10 years ago

Firmware 7.0 Introduces ECP launch command bug

Prior to updating to firmware 7.0, it was possible to use the ECP launch command to open the channel store to the channel page of a specific *private* channel. For example, this command would launch ...
Roku Developer Program
roquoonewbie's avatar
roquoonewbie
Visitor
10 years ago
"TheEndless" wrote:
Your example is more malicious than the one I suggested, which was more of a phishing attempt. But to answer your question, your use-case above where a mobile app is used to install private channels directly on the device could very easily be used to do the same, so the app is already running on the user's network. How can you be sure that every private channel installable via that app can be trusted? You and I are likely much more diligent in reviewing apps before we install them, but there's a large user population out there that isn't. Presenting the channel to the user via a channel store screen gives that user the impression that it's an official public channel, as there's nothing on the screen or during the install process that indicates otherwise. Presumably, your desire to have the feature available to you is for completely legitimate reasons, but that doesn't mean Joe Hacker won't use it more nefariously, and it only takes one bad apple...


What about my example was more malicious than the one you suggested? I was just demonstrating how an attacker could get a phising channel installed on the Roku. You were saying that could be done by abusing the ECP launched channel store page. That can only be done if there is malicious software already running on the network. And if that is the case, that software could just as easily launch to the channel store add page of the private channel in the web browser (see this link: https://owner.roku.com/Add/ACETV). Both the web page to add the private channel and the channel store screen can give the user the impression it is a public channel. There is nothing on the web page that indicates it is a private channel either. So I again make the point that the channel store method of adding the channel is no less secure than the web method. It is just a little bit easier for the user.

And let's not forget that the ECP launching of a private channel store screen has been available for at least 2-3 years until this most recent 7.0 firmware update. If it was really a security hole, wouldn't there have been issues by now?