Unauthenticated access to images by itemid

April 21, 2024

This was brought to my attention by a post on Reddit in r/selfhosted just a few hours ago. It seems images are available by the itemid even when unauthenticated. The OP claims to have attempted to contact the emby team regarding this and a few other issues with no response.

I'm making this post to raise awareness as not everyone who frequents these forums will have seen the post on Reddit, and as it is posted publicly elsewhere it definitely deserves attention on the main forum.

This is very troubling as it means that content that's available on the server can be determined without being logged in. Even more troubling if you're using emby for family pictures and videos as the pictures themselves can be viewed, and the thumbnail for videos can be viewed as well.

I have tested this myself and can verify that it is a major problem. I could see cover art for movies, as well as pictures from my family photos library without being logged in. It seems that itemid's are incremental, so it's arbitrary to just guess a value until you get a valid hit.

Leaking what movies and shows are on a server is definitely not great, but leaking actual personal content is just unacceptable in my opinion. Until something is done to address this I would not recommend using emby for personal/sensitive content if your server is publicly exposed.

Steps to reproduce below.

Replace <itemid> with the numerical value of a library item to test it while not logged in.

https://<hostname:port>/emby/Items/<itemId>/Images/Primary

April 21, 2024

Hi, yes we do plan to address this. Thanks for reporting.

April 21, 2024

That's not surprising, and it's probably not just images. There are known issues with at least the Roku and Android apps that make it trivial to bypass authentication and watch anything within a library that should be restricted. Those were reported months ago and still present in the current stable versions. It would be nice if emby actually took user permissions more seriously.

April 21, 2024

8 minutes ago, Tigga5 said:

There are known issues with at least the Roku and Android apps that make it trivial to bypass authentication

Hi. I don't believe this is true. You cannot bypass actual authentication.

April 21, 2024

Just now, ebr said:

Hi. I don't believe this is true. You cannot bypass actual authentication.

So you don't count being able to search for and watch anything you want without having to login as bypassing authentication? You can't be serious...

April 21, 2024

1 minute ago, Tigga5 said:

without having to login

That part is not true. The device must be authenticated before that would ever be possible.

April 21, 2024

Yea, you have to sign in once, but after the initial setup you can logout and then anyone else can skip the login screen and search for whatever they want. Yet for some reason emby clearly doesn't think this is a problem...

April 21, 2024

3 minutes ago, Tigga5 said:

you can logout and then anyone else can skip the login screen

Again, that is not correct. If you logout then re-authentication is required.

There is a BIG difference between the optional Profile PIN (designed for parental control) and actual authentication. None of the end points you mentioned will work without a valid authentication token which is acquired via login with proper credentials.

April 21, 2024

Just now, ebr said:

Again, that is not correct. If you logout then re-authentication is required.

There is a BIG difference between the optional Profile PIN (designed for parental control) and actual authentication. None of the end points you mentioned will work without a valid authentication token which is acquired via login with proper credentials.

I'm sorry, but that's complete BS. Whether I login with a password, PIN, or whatever it should be secure. My kids should not be able to access content from my libraries without logging into my account. This really shouldn't be a difficult concept.

April 21, 2024

5 minutes ago, Tigga5 said:

I'm sorry, but that's complete BS. Whether I login with a password, PIN, or whatever it should be secure. My kids should not be able to access content from my libraries without logging into my account. This really shouldn't be a difficult concept.

There is a HUGE difference from your kids potentially finding something you don't want them to and someone outside your network gaining access without authentication. BTW the update to the Roku app for this is in Roku's hands and will be out this week.

April 21, 2024

I already reported about the image problem 4 years ago:

April 21, 2024

2 minutes ago, ebr said:

There is a HUGE difference from your kids potentially finding something you don't want them to and someone outside your network gaining access without authentication.

Ok. Thanks for confirming that you don't take local account security seriously, I guess.

Quote

BTW the update to the Roku app for this is in Roku's hands and will be out this week.

Hopefully it's actually fixed this time considering you already claimed it was fixed once before and clearly didn't pay much attention to the original reports.

April 21, 2024

1 minute ago, Tigga5 said:

Ok. Thanks for confirming that you don't take local account security seriously, I guess

The same thing applies to local accounts. They MUST be authenticated. There is a difference between security/authentication and parental controls.

April 21, 2024

17 minutes ago, ebr said:

The same thing applies to local accounts. They MUST be authenticated. There is a difference between security/authentication and parental controls.

My mistake. I'll fix my quote then.

Quote

Ok. Thanks for confirming that you don't take parental controls seriously, I guess

Though I would still make the argument that if a PIN allows you to access your account, then that's still part of account security and authentication. You're really just arguing semantics at this point.

Edited April 21, 2024 by Tigga5

April 21, 2024

I'm really sorry but offering camera upload and having them exposed by this vulnerability (for years now!) is simply ridiculous.

People should be informed when activating the camera upload functionality or even better, get this fixed eventually!

April 21, 2024

6 hours ago, Tigga5 said:

Though I would still make the argument that if a PIN allows you to access your account,

It only allows access to an already authenticated account.

October 26, 2024

I'm just bumping the thread to see if there's any timeline for a fix and make others aware of the issue who otherwise might not be.

As of the latest stable release images and video thumbnails can still be viewed by the method described in my initial post with no authentication needed.

October 27, 2024

It's been at least 6+ months now since the Emby team was made aware of this (likely much longer as we don't know when the Reddit member originally reached out before posting there)...

It's one thing for security issues like this to pop up. No software is perfect, and mistakes are inevitable. What really matters though is how a company responds when such issues come to light. Seeing several instances this year where Emby is obviously unconcerned and willing to let issues like this sit on the back burner is pretty telling and concerning as a customer.

Edited October 27, 2024 by Tigga5

October 27, 2024

2 hours ago, Tigga5 said:

It's been at least 6+ months now since the Emby team was made aware of this

If you look at the comment history above someone initially reported this in a separate thread over 4 years ago. Over 4 years is far more than enough time to properly address a serious issue such as this after being notified. Keep in mind that it's only been since the 4.8 release that camera upload was changed so that it could even be properly disabled altogether.

I'm still using emby as my media server. I've praised the dev team numerous times and am still thankful for the work that goes into it. That being said it's hard to not notice that there's a trend of major issues/concerns being disregarded or otherwise not being dealt with in a timely manner.

Another example of this is a feature request I submitted back in February regarding the playlist sharing feature. I asked for more controls to limit which users another user can see when sharing playlists. When you turn on playlist sharing for a user they can see the entire list of users on a server including Admin accounts. This makes the feature not worth turning on for anyone security conscious enough to understand why that's a bad idea. The proposed compromise until such a feature can be fully implemented with groups or however they intend to tackle it was to give an option to at least limit visibility to admin accounts. There is still no such option.

To the emby team, I really do appreciate you guys and I love the product. I get that it's a small team and there are only so many hours in the day. I'm not trying to come off as overly critical or entitled. I hope you don't see it as such. You guys can do better about fixing valid security and privacy concerns within a timely manner. Not doing so erodes trust and confidence in the product. The fact that issues like this get buried with no fix in sight is highly concerning. Any issue with emby or it's features that is or can be perceived as a valid security/privacy concern should be top priority for a fix.

October 28, 2024

I'd forgotten all about this - seriously Emby, after 4 years this is not resolved ?

Did you not learn anything from the previous security incident/breach where you ignored that one as well until it was exploited in the wild and then became a big issue for you ?

All it's going to take is for somebody to 'exploit' this is to simply scan all emby servers, grab all the images from them and start exploiting the results - and maybe sue your company for gross negligence in the process...

PLEASE take reported security incidents seriously - you are getting the Pen testing/analysis done for free - the least you can do is provide a fix in a timely manner. Also to note, you are a commercial organisation with paying customers - thus you have responsibilities to report these vulnerabilities, so people are aware and can make an informed choice.

@Luke @ebr @softworkz

October 28, 2024

21 minutes ago, rbjtech said:

I'd forgotten all about this - seriously Emby, after 4 years this is not resolved ?

Did you not learn anything from the previous security incident/breach where you ignored that one as well until it was exploited in the wild and then became a big issue for you ?

All it's going to take is for somebody to 'exploit' this is to simply scan all emby servers, grab all the images from them and start exploiting the results - and maybe sue your company for gross negligence in the process...

PLEASE take reported security incidents seriously - you are getting the Pen testing/analysis done for free - the least you can do is provide a fix in a timely manner. Also to note, you are a commercial organisation with paying customers - thus you have responsibilities to report these vulnerabilities, so people are aware and can make an informed choice.

@Luke @ebr @softworkz

Thank you!

October 28, 2024

I guess the internet should close that door also as almost all images are somewhat exploited the exact same way if you know their ids.

October 28, 2024

13 minutes ago, Happy2Play said:

if you know their ids.

..and this is the heart of the problem. You don't need to know the id's - you can simply guess and very quickly narrow it down to valid id ranges as the id's are not random, they are only incrementing intergers. A random high entropy id would be much less of a problem, even unauthenticated, as it cannot simply be guessed.

October 28, 2024

33 minutes ago, Happy2Play said:

I guess the internet should close that door also as almost all images are somewhat exploited the exact same way if you know their ids.

Holy Hell... You can't be serious with this statement? Most images on the internet aren't supposed to be secured behind account authentication like Emby. That's just an unbelievably stupid defense there.

October 28, 2024

2 minutes ago, Tigga5 said:

Holy Hell... You can't be serious with this statement? Most images on the internet aren't supposed to be secured behind account authentication like Emby. That's just an unbelievably stupid defense there.

LOL and you are not authorized to just take them either. But if you know the information you can get really anything you want and if my images are some important that I got from somewhere else are so important you can have them.

But to each their own.

Edited October 28, 2024 by Happy2Play

Sign In

Unauthenticated access to images by itemid

Recommended Posts

Clackdor 89

Luke 39847

Tigga5 12

ebr 15610

Tigga5 12

ebr 15610

Tigga5 12

ebr 15610

Tigga5 12

ebr 15610

pünktchen 1346

Tigga5 12

ebr 15610

Tigga5 12

neik 870

ebr 15610

Clackdor 89

Tigga5 12

Clackdor 89

rbjtech 4950

neik 870

Happy2Play 9403

rbjtech 4950

Tigga5 12

Happy2Play 9403

Create an account or sign in to comment

Create an account

Sign in

Activity