p4tr1k 1 Posted July 8, 2022 Share Posted July 8, 2022 Hi, if I use the emby app in a photo library and click on "share", I can publish an URL pointing to the picture. This URL is accessable to anyone without login. I can also change the ID in the URL and watch any other picture. Can i disable this function? If not, seems a security issue to me. Everyone knowing your emby URL would be able to see at least any picture in your photo library by trying some IDs. Example: https://example.com/emby/Items/{$FILE_ID}/Images/Primary?maxWidth=1170&tag={$ANY_TAG}&quality=90 I'm not sure about that "tag" in URL, seems I can use whatever I want here. But if I change the FILE_ID to any other existing ID, I can see any photo I want. Seems blocking this path is not possible cause the app uses the same. Not sure if this also works for videos, also not sure if this is already known issue? I used the search function but was not able to find this problem. Regards, patrik Link to comment Share on other sites More sharing options...
pünktchen 1282 Posted July 8, 2022 Share Posted July 8, 2022 This is a known issue https://emby.media/community/index.php?/topic/84893-images-dont-require-api_key/ but unfortunately the Emby devs don't care. Link to comment Share on other sites More sharing options...
p4tr1k 1 Posted July 8, 2022 Author Share Posted July 8, 2022 Hi, thanks a lot, I hope this will be fixed. This is really high priority issue in my opinion, I keep watching your thread. Link to comment Share on other sites More sharing options...
DJX 18 Posted July 8, 2022 Share Posted July 8, 2022 This is quite a concern. Is there any workaround we can do in the mean time? Link to comment Share on other sites More sharing options...
ebr 15186 Posted July 8, 2022 Share Posted July 8, 2022 3 hours ago, pünktchen said: This is a known issue https://emby.media/community/index.php?/topic/84893-images-dont-require-api_key/ but unfortunately the Emby devs don't care. I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right? 3 hours ago, p4tr1k said: if I use the emby app in a photo library and click on "share", I can publish an URL pointing to the picture This is only an issue if you proactively share this and publish that url somewhere, correct? Link to comment Share on other sites More sharing options...
Q-Droid 762 Posted July 8, 2022 Share Posted July 8, 2022 It sounds like the sharing mechanism would have to change from a direct reference in the URL to something like a tracked hash/key that can only be resolved internally. Possibly with additional management options such as expiration of the shared item. Link to comment Share on other sites More sharing options...
pünktchen 1282 Posted July 8, 2022 Share Posted July 8, 2022 31 minutes ago, ebr said: I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right? Nobody said to include an api key in URL. It's about the security issue that images are accessible without any authentication. 1 Link to comment Share on other sites More sharing options...
DJX 18 Posted July 8, 2022 Share Posted July 8, 2022 46 minutes ago, ebr said: I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right? This is only an issue if you proactively share this and publish that url somewhere, correct? I think all IPs can be targeted whether its shared by the user or not! It shouldnt be possible to access the photos directly because it makes the login username/password pointless..! Link to comment Share on other sites More sharing options...
p4tr1k 1 Posted July 9, 2022 Author Share Posted July 9, 2022 On 7/8/2022 at 3:57 PM, ebr said: I don't see how adding an API key to the url would solve this basic issue because it would be included in the URL that is shared... right? This is only an issue if you proactively share this and publish that url somewhere, correct? I think this is always a problem. You don't need to share anything, if I know your server URL, I can probably see you photos if I try sone IDs. In my opinion, I don't know if sharing media to anyone who has no account on the server is necessary. If possible, I would love to disable the complete "share" function if it comes with a security issue. 1 Link to comment Share on other sites More sharing options...
NukeFromOrbit 0 Posted July 12, 2022 Share Posted July 12, 2022 An API key would not help in with a navigational GET request from a browser, but there are other ways of tackling this. A fairly simple option (that helps quite a bit) is to generate a combo password. Using for example an Adjective and a Noun. That can easily be shared together with the link so that the person using it can enter it when prompted. They are easy to remember and the combinations are enough to easily detect brute force attempts. Adding a ClientID in the url would help separate different clients and limiting access to a specific set of combo password. So that an attacker can't use any link. with any accepted password combo. It also makes it possible to disable a "client" when not in use, or even add features like expiration times etc. There are of course many design options and security mechanisms that could be considered in this scenario. But until something is added to prevent unauthorized access it would be really good to be able to turn off features like this. I do not expose my server as it is only used on my local network, I also limit media to my own DVD/BD collection, so it doesn't directly affect me. Examples: FUNNY CHAIR, YELLOW SPACESHIP, etc Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now