Jump to content

Webclient credentials not cleared on user logout (security risk?)


fc7

Recommended Posts

I just noticed in Emby 3.0.7013.4 (latest beta) that using webclient for server administratior or media playback, when the user logs out if you clic on "Manual Login" the last user username but more importantly also he password are already filled. I'm not sure if this was the same no previous versions or not.

 

This might pose a security risk in the scenario that the last logged user was a server administrator but it will also have other implications and risks when you use different users for parental control or library access.

The issue is more evident if you only use manual login for all your users (hidding them from the login page).

 

Repro steps:

 

  1. Login with any username in the webclient
  2. Logout using the logout button. The webclient will return to the login screen.
  3. Clic on "Manual Login" and you will see the user credentials of the last logged user already filled in, including it's password.
  4. Clic on "Log In" and it will go ahead and log you in with the last user credentials.

Thanks.

Edited by fc7
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...