Kodi add-on shut down
Kodi users streaming on web-connected Apple TV 2 devices at risk of hacking iStock

Millions of Kodi streamers who use jailbroken Apple TV 2 devices to watch content are at risk of hacking attacks due to a "huge security flaw", according to pirate library TVAddons.

Cracked Apple TV 2 devices have long been favoured by Kodi pirates, but a popular update comes installed with unwanted tools and a default password which users are unlikely to change.

The flaw puts "millions of Kodi users at risk of having their Kodi box used to send spam, DDoS, distribute malware or even something as disgusting as child pornography," the website warned.

TVAddons has become well-known for linking users to a wide range of third-party applications not affiliated with the legitimate open source Kodi platform.

In recent years, the availability of cheap Android-based hardware – often branded as "Kodi boxes" – has enabled users to stream subscription-only material.

This includes sporting events, TV shows and newly-released movies. As a result, law enforcement has taken intense interest in the community of late, with some box vendors facing conviction.

A quick Google search shows that jailbreaking guides for Apple TV 2 devices are still popular. Some online marketplaces, including eBay, have cracked boxes openly advertised for sale.

But now, the pirate library has warned there is a "99.99%" chance streamers with jailbroken Apple TV 2 devices are at risk because a tool known as "OpenSSH" is turned on by default. When connected to the web, TVAddons claimed the devices were wide open to hijacking.

A crucial flaw is the root password being set to "alpine", which most people will neglect to change.

Apple TV with Siri remote
Older Apple TV devices could be jailbroken to play third-party apps Apple

"Under normal circumstances, most people are aware of the need to set a strong password on their computer," the website said. "However, in this circumstance, most users aren't aware that their jailbroken Apple TV 2 is a computer that can be programmed for any purpose.

"Anyone who gains access to your insecure jailbroken Apple TV 2 device could run code to do things like send spam, DDoS, or even infiltrate your phone and personal computer."

The website said those behind the jailbreak were likely to blame – and called on users to urgently update their passwords. "You won't even know once you've been hacked, so it's important to take proactive steps in order to secure all of your internet connected devices," it noted.

In 2017, TVAddons has faced its own legal woes, and went offline for a brief period back in June. The website's founder, Canadian Adam Lackman, had his home raided and devices seized by authorities after being accused of copyright infringement by telecommunications firms.

His appeal to users, organised under the banner "fight against censorship", has raised $29,300.