"TheEndless" wrote:"roquoonewbie" wrote:
You were saying that could be done by abusing the ECP launched channel store page. That can only be done if there is malicious software already running on the network.
Not necessarily. Your perfectly harmless ECP app could unknowingly allow the install of such a malicious channel. Have you reviewed the code of every private channel that your app installs? There's no way for you to know if a developer has hidden something in their channel that looks completely innocuous on the surface.
In this case he ummm, "embellished the truth" by conjecturing that showing info screen on a channel somehow places it in the official Channel Store context.
Only a malicious ECP could/would covertly launch the channel store screen for a private channel the user had not expressed any interest in installing.
And again, if it could do that, it could equally launch the web browser to the add channel page as well...which looks just as "official" as the channel store screen.
There's a major difference there in that you have to be logged into the Roku website to add a channel via the web browser, and automating the install approval process in the web browser is much more involved than just sending a few remote commands via ECP."
This is a security fix. You should not be able to install private channels via the ECP. If there is some business case for doing this let me know.
$ curl -i -d "" http://192.168.1.28:8060/launch/11?ContentID=75561and get this on TV screen: