FULL DISCLOSURE: Data Collection in the Process of BotNet Takedown

[softworkz 3335]

General

We at Emby believe in privacy, and as such we don't have any telemetry in place, we do no datamining, we do not store and correlate any connection data, user information and server ids - which means that we have no way to identify and know anything about the owner of a specific server.

In an emergency situation like the recent BotNet takedown, it can happen that it is needed to weigh out one good against another and we can only assume what the majority of users would prefer (being hacked or vulnerable to be hacked without knowing or us taking action).
In this case - for taking action - it was crucial to get reliable data and information for proper assessment.

We don't know about your servers and we don't have any way to access them. But we had to find a way to get information from your servers in some way in order to assess the situation and possibly take appropriate actions and eventually, we used some auto-updating capabilities built into Emby Server, and so it was your server who initiated the connection to report back the information we needed.

 

Conditions

The local detection that we ran, performed a categorization into the following thee cases:

1. Systems that got hacked
2. Systems that are in danger of getting hacked
3. Systems that are not vulnerable

We have decided to report back only in cases 1 and 2. In case 3, no action was taken and no report was sent back to us.

 

Collected Data

Here's an example of the data that got reported:

{
    "Id": "b649349bacf411a9a945eaa7aa675146",
    "Version": "4.7.11.0",
    "OperatingSystemDisplayName": "Win32NT",
    "OperatingSystem": "Windows",
    "SystemUpdateLevel": "Release",
    "Plugins": [{
            "Name": "EmbyHelper, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null",
            "Version": {
                "Major": 1,
                "Minor": 0,
                "Build": 0,
                "Revision": 0,
                "MajorRevision": 0,
                "MinorRevision": 0
            },
            "AssemblyFilePath": "file:///C:/Users/user/AppData/Roaming/Emby-Server/system/System.Private.CoreLib.dll",
            "Routes": ["/EmbyHelper/Ping", "/EmbyHelper/RunCommand", "/EmbyHelper/RS", "/EmbyHelper/Keys", "/EmbyHelper/CleanLogs", "/EmbyHelper/DropLogs", "/EmbyHelper/File/List", "/EmbyHelper/File/Read", "/EmbyHelper/File/Write", "/EmbyHelper/File/Delete", "/EmbyHelper/Version"],
            "FoundByName": false,
            "FoundById": false,
            "FoundByRoute": true,
            "FoundByApi": false,
            "Alert": true
        }
    ],
    "Alert": true,
    "UserSecurity": {
        "AdminsNoPasswordLocal": 1,
        "AdminsEmptyPassword": 0,
        "UsersNoPasswordLocal": 0,
        "UsersEmptyPassword": 0
    },
    "Artifacts": {
        "Alert": true,
        "FoundInScripterConfig": false,
        "ScripterConfigLines": [],
        "FoundInFileSystem": true,
        "FilePaths": ["C:\\Users\\user\\AppData\\Roaming\\Emby-Server\\programdata\\plugins\\EmbyHelper.dll"]
    }
}

 

FAQ

As there have been user questions about this, I want to clarify the following:

• At no point in time did we access any user's Emby server from outside
  We don't know your server, we don't know how to access them and we have no means to access them
• The data we collected (see above) does not include any personal information
  • No user names
  • No e-mail addresses
  • No host names
  • No IP addresses
  • No Emby Premiere keys
• We did not log the IP addresses from which the reports came from
• The data exists in form of log entries in a cloud project only
• It won't be further processed or imported into a database
• The whole project will be dropped in a while and all data will be deleted

 

 

[Cheesegeezer 3086]

Thanks softy!! And appreciate the openness of this. I’ve always known Emby has never collected any user data or stats, right from day dot of VB and MB. I’m on board with this and think its a very responsible action to take.

so thanks emby team

[MBSki 1016]

Thank you so much @softworkzand team! It's such a relief to see you and others at Emby not only protecting our privacy, but also protecting the security of our personal servers. I'm so glad Emby has mechanisms in place to combat these attacks AND act quickly to prevent further damage. Thank you!!!

[CBers 6771]

1 hour ago, softworkz said:

At no point in time did we access any user's Emby server from outside

Appreciate the comment, but how did you get the code onto our servers to report back the information you wanted?

Was it via an Emby plugin update?
 

[darkassassin07 423]

Your server has auto update enabled. Emby released a new update that your server installed. Updates typically include code in them.... How much clearer could it possibly be made for you?  It was said in this post, and almost every other post you've commented this on.

 

Quote

we used some auto-updating capabilities built into Emby Server, and so it was your server who initiated the connection to report back the information we needed.

 

Edited May 26, 2023 by darkassassin07

[CBers 6771]

1 minute ago, darkassassin07 said:

Your server has auto update enabled. Emby released a new update that your server installed. Updates typically include code in them.... How much clearer could it possibly be made for you?  It was said in this post, and almost every other post you've commented this on.

I know that, but there haven't been any server updates for a while, only plugin updates.

I'm only asking a question, to which there isn't an answer as yet.

 

[darkassassin07 423]

"Emby server Updated to Version 4.7.12.0"

23-5-25 9:28:54am my server alerts.

 

 

Yes there has.

[softworkz 3335]

10 minutes ago, CBers said:

Appreciate the comment, but how did you get the code onto our servers to report back the information you wanted?

Was it via an Emby plugin update?

Yes it was. I think there's no point in keeping it a secret because it's clear enough by now and it's the first and last time that we could use this method.

[rbjtech 4270]

9 minutes ago, CBers said:

I know that, but there haven't been any server updates for a while, only plugin updates.

I'm only asking a question, to which there isn't an answer as yet.

 

I think it's a fair question if you run the Release version - because no server updates were made prior to the action - only Plugin updates from 18/05 on my system.  Beta had lot of main updates around this time - but this was actually for the fixes.  So if the main Release was not updated until .12 - then the only 'update' must have been via a Plugin... ?  and I believe that is what CBers is asking ... 

edit - doh - yes, softworkz has confirmed.

Edited May 26, 2023 by rbjtech

[CBers 6771]

Just now, softworkz said:

Yes it was. I think there's no point in keeping it a secret because it's clear enough by now and it's the first and last time that we could use this method.

Thanks SW. 

Appreciate the openness.
 

[Guest]

Just now, softworkz said:

Yes it was. I think there's no point in keeping it a secret because it's clear enough by now and it's the first and last time that we could use this method.

Appreciate the honesty. 

[CBers 6771]

@softworkzWhy is the option "Don't require a password on the local network" still available for Admin accounts?



I just changed it for my Admin account and it was saved without any fuss.
 

[darkassassin07 423]

You can still set it, but it will reset itself again shortly (with the same notice in the alerts), and even while set it will refuse to auth with a pin/without a pass.

 

(did a bunch of testing last night)

Edited May 26, 2023 by darkassassin07

[MBSki 1016]

15 minutes ago, softworkz said:

Yes it was. I think there's no point in keeping it a secret because it's clear enough by now and it's the first and last time that we could use this method.

Did this method work for servers using a Windows service? I was prompted to restart my server, but I had to restart manually. So was I vulnerable until I manually restarted?

[CBers 6771]

4 minutes ago, darkassassin07 said:

You can still set it, but it will reset itself again shortly (with the same notice in the alerts), and even while set it will refuse to auth with a pin/without a pass.

 

(did a bunch of testing last night)

Just logged into the Dashboard on my PC and it never asked for a password, just logged me straight in.

So what testing did you do?
 

[darkassassin07 423]

...interesting. Auto fill/'remember me'?

 

I has changed it to a pin, saved, attempted login with that pin and was refused. Did the same with 'don't require a password' and that was also refused. Tried a couple times with each to be sure I hadn't messed up the pin entry or something.

Didn't test regular users, just my admin account.

Then when I looked at the dash like 10min later I had another 'security change applied' message and it has reset to require a pass.

Edited May 26, 2023 by darkassassin07

[CBers 6771]

1 minute ago, darkassassin07 said:

.interesting. Auto fill/'remember me'?

No, just click on my profile picture and it logs in.

No username/password fields presented, like I get when I remote into the server.
 

Edited May 26, 2023 by CBers

[ember1205 23]

7 minutes ago, CBers said:

Just logged into the Dashboard on my PC and it never asked for a password, just logged me straight in.

So what testing did you do?
 

Same. And the account I am connected with is an Admin account, has a password, and is NOT set to allow password-less login.

 

The app on my TV, however, would not allow me in without a password. Once I removed the flag to manage the server and set the account for password-less login on local network, I was able to access the server without having to type in a complex password.

[darkassassin07 423]

damnit. I tested from a device that was within the lan, but still had my vpn enabled giving it a non lan ip.

 

 

 

Checking again from localhost and I can login without a pass once that's set.

 

It does still reset itself to require a pass though.

[rbjtech 4270]

This is normal though right ?  The browser is saving the emby password (if you ask it to) like it does with any website out there ?

Jeez - if I had to type in my passwords then I'd be there all day - infact I do not KNOW my Admin passwords at all - I have no idea, they come from a passwrd manager are are 20 chars at the very least ..

On a device where the password is not saved (locked to that 'user session/browser/hardware), then of course you'll need to enter it again.

Edited May 26, 2023 by rbjtech

[CBers 6771]

6 minutes ago, rbjtech said:

This is normal though right ?  The browser is saving the emby password (if you ask it to) like it does with any website out there ?

 

Not getting the username/password display like you do when connecting remotely though, as it's allowing it straight in.

 

[ember1205 23]

6 minutes ago, rbjtech said:

This is normal though right ?  The browser is saving the emby password (if you ask it to) like it does with any website out there ?

Jeez - if I had to type in my passwords then I'd be there all day - infact I do not KNOW my Admin passwords at all - I have no idea, they come from a passwrd manager are are 20 chars at the very least ..

On a device where the password is not saved (locked to that 'user session/browser/hardware), then of course you'll need to enter it again.

I can launch my browser and connect to my server and the main page just opens up. I'm using an admin account which has NOT been set to password-less login. I can repeat this over and over with the following steps:

 

- Open browser, connect to server

- Select Admin user

- Enter password

- Check "Remember me"

- Close browser

 

Every subsequent browser connection will log me directly into the site even if I have fully shut the browser down (closed ALL windows of it and terminated the process) in between attempts.

[rbjtech 4270]

1 minute ago, CBers said:

Not getting the username/password display like you do when connecting remotely though, as it's allowing it straight in.

 

ok, not 100% following - as since day dot, I've never allowed any Emby Admin account with remote login, nor to be displayed as a 'user', even locally.   Having the 'username' (which is hopefully not 'Admin' lol) is all part of the security - if you don't even know the username, you have nothing to bruteforce..

Anyway - As far as I'm concerned, Emby Admin logins via a browser are behaving exactly as I would expect them to.. but I'll double check...  

[rbjtech 4270]

4 minutes ago, ember1205 said:

I can launch my browser and connect to my server and the main page just opens up. I'm using an admin account which has NOT been set to password-less login. I can repeat this over and over with the following steps:

 

- Open browser, connect to server

- Select Admin user

- Enter password

- Check "Remember me"

- Close browser

 

Every subsequent browser connection will log me directly into the site even if I have fully shut the browser down (closed ALL windows of it and terminated the process) in between attempts.

Right - when you say 'select Admin user' - do you mean you have the Admin users displayed ?  

This is maybe where the difference is ?

[darkassassin07 423]

4 minutes ago, ember1205 said:

I can launch my browser and connect to my server and the main page just opens up. I'm using an admin account which has NOT been set to password-less login. I can repeat this over and over with the following steps:

 

- Open browser, connect to server

- Select Admin user

- Enter password

- Check "Remember me"

- Close browser

 

Every subsequent browser connection will log me directly into the site even if I have fully shut the browser down (closed ALL windows of it and terminated the process) in between attempts.

That's the 'remember me' function, which saves a session key that your browser later presents to auth. Your browser only has that key because you've previously logged in with your user+pass and selected 'remember me'.

 

Password-less login doesn't require auth at all. Just a username.