Clackdor 23 Posted April 21 Share Posted April 21 This was brought to my attention by a post on Reddit in r/selfhosted just a few hours ago. It seems images are available by the itemid even when unauthenticated. The OP claims to have attempted to contact the emby team regarding this and a few other issues with no response. I'm making this post to raise awareness as not everyone who frequents these forums will have seen the post on Reddit, and as it is posted publicly elsewhere it definitely deserves attention on the main forum. This is very troubling as it means that content that's available on the server can be determined without being logged in. Even more troubling if you're using emby for family pictures and videos as the pictures themselves can be viewed, and the thumbnail for videos can be viewed as well. I have tested this myself and can verify that it is a major problem. I could see cover art for movies, as well as pictures from my family photos library without being logged in. It seems that itemid's are incremental, so it's arbitrary to just guess a value until you get a valid hit. Leaking what movies and shows are on a server is definitely not great, but leaking actual personal content is just unacceptable in my opinion. Until something is done to address this I would not recommend using emby for personal/sensitive content if your server is publicly exposed. Steps to reproduce below. Replace <itemid> with the numerical value of a library item to test it while not logged in. https://<hostname:port>/emby/Items/<itemId>/Images/Primary 1 Link to comment Share on other sites More sharing options...
Luke 37112 Posted April 21 Share Posted April 21 Hi, yes we do plan to address this. Thanks for reporting. 2 Link to comment Share on other sites More sharing options...
Tigga5 0 Posted April 21 Share Posted April 21 That's not surprising, and it's probably not just images. There are known issues with at least the Roku and Android apps that make it trivial to bypass authentication and watch anything within a library that should be restricted. Those were reported months ago and still present in the current stable versions. It would be nice if emby actually took user permissions more seriously. Link to comment Share on other sites More sharing options...
ebr 14929 Posted April 21 Share Posted April 21 8 minutes ago, Tigga5 said: There are known issues with at least the Roku and Android apps that make it trivial to bypass authentication Hi. I don't believe this is true. You cannot bypass actual authentication. Link to comment Share on other sites More sharing options...
Tigga5 0 Posted April 21 Share Posted April 21 Just now, ebr said: Hi. I don't believe this is true. You cannot bypass actual authentication. So you don't count being able to search for and watch anything you want without having to login as bypassing authentication? You can't be serious... Link to comment Share on other sites More sharing options...
ebr 14929 Posted April 21 Share Posted April 21 1 minute ago, Tigga5 said: without having to login That part is not true. The device must be authenticated before that would ever be possible. Link to comment Share on other sites More sharing options...
Tigga5 0 Posted April 21 Share Posted April 21 Yea, you have to sign in once, but after the initial setup you can logout and then anyone else can skip the login screen and search for whatever they want. Yet for some reason emby clearly doesn't think this is a problem... Link to comment Share on other sites More sharing options...
ebr 14929 Posted April 21 Share Posted April 21 3 minutes ago, Tigga5 said: you can logout and then anyone else can skip the login screen Again, that is not correct. If you logout then re-authentication is required. There is a BIG difference between the optional Profile PIN (designed for parental control) and actual authentication. None of the end points you mentioned will work without a valid authentication token which is acquired via login with proper credentials. Link to comment Share on other sites More sharing options...
Tigga5 0 Posted April 21 Share Posted April 21 Just now, ebr said: Again, that is not correct. If you logout then re-authentication is required. There is a BIG difference between the optional Profile PIN (designed for parental control) and actual authentication. None of the end points you mentioned will work without a valid authentication token which is acquired via login with proper credentials. I'm sorry, but that's complete BS. Whether I login with a password, PIN, or whatever it should be secure. My kids should not be able to access content from my libraries without logging into my account. This really shouldn't be a difficult concept. Link to comment Share on other sites More sharing options...
ebr 14929 Posted April 21 Share Posted April 21 5 minutes ago, Tigga5 said: I'm sorry, but that's complete BS. Whether I login with a password, PIN, or whatever it should be secure. My kids should not be able to access content from my libraries without logging into my account. This really shouldn't be a difficult concept. There is a HUGE difference from your kids potentially finding something you don't want them to and someone outside your network gaining access without authentication. BTW the update to the Roku app for this is in Roku's hands and will be out this week. Link to comment Share on other sites More sharing options...
pünktchen 1259 Posted April 21 Share Posted April 21 I already reported about the image problem 4 years ago: 1 Link to comment Share on other sites More sharing options...
Tigga5 0 Posted April 21 Share Posted April 21 2 minutes ago, ebr said: There is a HUGE difference from your kids potentially finding something you don't want them to and someone outside your network gaining access without authentication. Ok. Thanks for confirming that you don't take local account security seriously, I guess. Quote BTW the update to the Roku app for this is in Roku's hands and will be out this week. Hopefully it's actually fixed this time considering you already claimed it was fixed once before and clearly didn't pay much attention to the original reports. Link to comment Share on other sites More sharing options...
ebr 14929 Posted April 21 Share Posted April 21 1 minute ago, Tigga5 said: Ok. Thanks for confirming that you don't take local account security seriously, I guess The same thing applies to local accounts. They MUST be authenticated. There is a difference between security/authentication and parental controls. Link to comment Share on other sites More sharing options...
Tigga5 0 Posted April 21 Share Posted April 21 (edited) 17 minutes ago, ebr said: The same thing applies to local accounts. They MUST be authenticated. There is a difference between security/authentication and parental controls. My mistake. I'll fix my quote then. Quote Ok. Thanks for confirming that you don't take parental controls seriously, I guess Though I would still make the argument that if a PIN allows you to access your account, then that's still part of account security and authentication. You're really just arguing semantics at this point. Edited April 21 by Tigga5 Link to comment Share on other sites More sharing options...
neik 837 Posted April 21 Share Posted April 21 I'm really sorry but offering camera upload and having them exposed by this vulnerability (for years now!) is simply ridiculous. People should be informed when activating the camera upload functionality or even better, get this fixed eventually! 2 Link to comment Share on other sites More sharing options...
ebr 14929 Posted April 21 Share Posted April 21 6 hours ago, Tigga5 said: Though I would still make the argument that if a PIN allows you to access your account, It only allows access to an already authenticated account. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now