Jump to content

Share Link Exploit?


p4tr1k

Recommended Posts

p4tr1k

Hi,

if I use the emby app in a photo library and click on "share", I can publish an URL pointing to the picture. This URL is accessable to anyone without login. I can also change the ID in the URL and watch any other picture. Can i disable this function? If not, seems a security issue to me. Everyone knowing your emby URL would be able to see at least any picture in your photo library by trying some IDs.

Example:

https://example.com/emby/Items/{$FILE_ID}/Images/Primary?maxWidth=1170&tag={$ANY_TAG}&quality=90

I'm not sure about that "tag" in URL, seems I can use whatever I want here. But if I change the FILE_ID to any other existing ID, I can see any photo I want. Seems blocking this path is not possible cause the app uses the same.

Not sure if this also works for videos, also not sure if this is already known issue?

I used the search function but was not able to find this problem.

Regards,
patrik

 

Link to comment
Share on other sites

p4tr1k

Hi,

thanks a lot, I hope this will be fixed. This is really high priority issue in my opinion, I keep watching your thread.

Link to comment
Share on other sites

3 hours ago, pünktchen said:

This is a known issue https://emby.media/community/index.php?/topic/84893-images-dont-require-api_key/ but unfortunately the Emby devs don't care.

I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right?

3 hours ago, p4tr1k said:

if I use the emby app in a photo library and click on "share", I can publish an URL pointing to the picture

This is only an issue if you proactively share this and publish that url somewhere, correct?

Link to comment
Share on other sites

Q-Droid

It sounds like the sharing mechanism would have to change from a direct reference in the URL to something like a tracked hash/key that can only be resolved internally. Possibly with additional management options such as expiration of the shared item. 

 

Link to comment
Share on other sites

pünktchen
31 minutes ago, ebr said:

I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right?

Nobody said to include an api key in URL. It's about the security issue that images are accessible without any authentication.

  • Agree 1
Link to comment
Share on other sites

46 minutes ago, ebr said:

I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right?

This is only an issue if you proactively share this and publish that url somewhere, correct?

I think all IPs can be targeted whether its shared by the user or not! It shouldnt be possible to access the photos directly because it makes the login username/password pointless..!

Link to comment
Share on other sites

p4tr1k
On 7/8/2022 at 3:57 PM, ebr said:

I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right?

This is only an issue if you proactively share this and publish that url somewhere, correct?

I think this is always a problem. You don't need to share anything, if I know your server URL, I can probably see you photos if I try sone IDs.

In my opinion, I don't know if sharing media to anyone who has no account on the server is necessary. If possible, I would love to disable the complete "share" function if it comes with a security issue.

  • Agree 1
Link to comment
Share on other sites

NukeFromOrbit

An API key would not help in with a navigational GET request from a browser, but there are other ways of tackling this.

A fairly simple option (that helps quite a bit) is to generate a combo password. Using for example an Adjective and a Noun. That can easily be shared together with the link so that the person using it can enter it when prompted. They are easy to remember and the combinations are enough to easily detect brute force attempts. 

Adding a ClientID in the url would help separate different clients and limiting access to a specific set of combo password. So that an attacker can't use any link. with any accepted password combo. It also makes it possible to disable a "client" when not in use, or even add features like expiration times etc.

There are of course many design options and security mechanisms that could be considered in this scenario.

But until something is added to prevent unauthorized access it would be really good to be able to turn off features like this. I do not expose my server as it is only used on my local network, I also limit media to my own DVD/BD collection, so it doesn't directly affect me.

Examples: FUNNY CHAIR, YELLOW SPACESHIP, etc

 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...