Jump to content

Password Not Required


djandrius

Recommended Posts

djandrius

This is a very serious security bug:

 

1. Downloaded stable Version 3.0.5882.0 (Windows 7)

2. Go through setup. I already had an account created with Emby therefore added my email address and approved in email.

3. Was asked to create a user (User1) in one of the next steps.

4. Setup libraries, setup https access (all through remote access software)

5. Now to the bad part - to my extreme surprise, when I went to my external address (keep in mind I am not even at my house while setting this up) and I have never logged on to Emby before from this computer, to my surprise I am presented with "User1" big button in the middle and there is no password required to manage entire library! How in the world the Admin user is accessing through external address and allow user account to manage without a password?

 

P.S. Of course I have added password and edited account to be removed from the login screen, however not everyone without the knowledge would ever be able to know that they just exposed their media administrator to the entire world who can delete entire library with a few button clicks.

Edited by djandrius
Link to comment
Share on other sites

Hi, welcome. Just create a password for that user and that will prevent access without a password. In the future we probably will revise this to encourage or require a password.

Link to comment
Share on other sites

djandrius

As I mentioned, I immediately created a password for that user. I am not new to the scene and I have tested MediaBrowser previously, only new to Emby.

 

If password is "empty/unset" access through external IP should be disabled by default...

Link to comment
Share on other sites

FrostByte

In the future we probably will revise this to encourage or require a password.

 

Not requiring a pw is kind of nice with just one user and using local access only.  Entering a pw is kind of a pita with some TV remotes.  I suppose a simple pw or pin wouldn't be too bad though if required.

Link to comment
Share on other sites

Redshirt

Not requiring a pw is kind of nice with just one user and using local access only.  Entering a pw is kind of a pita with some TV remotes.  I suppose a simple pw or pin wouldn't be too bad though if required.

 

You can set up a password and then set an empty pin code.  That will allow local sign-in without a password, but still require one signing in remotely.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...