This may sound crazy but I witnessed something yesterday that freaked me out. It also made me concerned for security of Yatse Android remote control app.
We use Kodi for live TV. We were watching live TV, just simply watching a channel. My wife was browsing Facebook on Chrome on her Android phone (she removed the Facebook app). As she was browsing, there was a sponsored ad for AliExpress Shopping App. In the ad there was a button for "Shoppen". She clicked on that button and the playback of the live TV stopped. It was equivalent to clicking stop on the remote control or clicking stop button on any iPhone, Android or other remote control app (such as Yatse).
I was able to repeat this every time with this particular ad (AliExpress Shopping App ad on Facebook). I have recorded a video of this occurring. You will see that I click on the button while TV is playing, Playing stops and goes back to the TV guide, which happens if you normally stop playback of a channel after you clicked on the channel in the TV guide.
My wife's phone has the Yatse app installed. I figure that's the way that clicking on the button in the ad caused Kodi to stop playing the live TV stream. So I went into Yatse, removed Kodi from the list of devices and repeated the test. As I suspected, nothing happened when clicking the button in the ad. So obviously clicking on the button in the ad was somehow sending a signal through Yatse to stop playing the live TV stream to Kodi. I did notice that clicking on the button should open a pop-up but her Chrome settings prevent pop-ups. Besides the pop-up, nothing else seems to happen when clicking the button. You can see this in the video.
So can anyone explain what is going on? It is obvious that somehow Yatse gets activated and sends a stop stream signal to Kodi when clicking on the button in the ad. But that should not be allowed to happen, unless I am missing something. Is this an Android security issue or Yatse app issue or Facebook ad issue or some combination of both? This really freaked me out. This means having Yatse installed on the Android phone could allow anyone to control Kodi through web pages, intentionally or unintentionally.
I am really curious what developers have to say.
