Jump to content

Theatre: Can access unknown users server


youngsheehans
 Share

Recommended Posts

youngsheehans

This evening I started up emby theatre and it presented a server named "Alex" as a media server to connect to.

 

I was successfully able to connect to, browse & watch a movie from this server. Only upon talking with the Alex I know personnally did i discover that this actually wasnt his server at all; I had connected to some random strangers server and watched a movie off it.

 

Their taste in media was, thankfully, more than acceptable, However I imagine this is a bug.

 

I sent a message to the member named "Alex" letting them know the details.

 

I have recently removed my emby connect details from the associated emby media server login: there appeared to be a number of exceptions happening fairly frequently in the logs related to emby connection. Not sure if it is related.

Link to comment
Share on other sites

youngsheehans

I looked at emby theatre logs & the other guys WAN ip looked to be from the same pool as mine. Its likey i had his ip address at some stage, quite possibly just before i removed my emby connect info from my server

Link to comment
Share on other sites

I really think passwords should be enforced in a WAN access scenario. Or maybe have some kind of ACL.

Link to comment
Share on other sites

Exactly like that! :) Where does one find it? I checked under Dashboard >Advanced Settings > Hosting/Security. Also under Dashboard > Devices

 

I did see something similar but regarding API keys, but these are automatically generated by logging in with an account? (which then lacking a password would be insecure). Would one just need to revoke these to deny access?

Link to comment
Share on other sites

Ah! I found it. In user settings. Even so, we have this but it is not enforced automatically. The way it currently stands, any Emby server, unless specifically locked down by a user (on a user per user basis!), is vulnerable to external control - given a WAN IP?

 

My actual server is not on the internet so I have not really gone that far into the related configuration. But usually one would have to map ports for all this (which would require a general level of proficiency and hopefully, likewise, caution) and in this case Emby just does it for you! So from day 0 the server has set itself up for unsecured WAN access, whether the user wants such or not?

 

Now consider the average user who is just using this in his LAN at home, would he even consider the possibility that this server is accessible via the internet? Would he ever think to secure his accounts from malicious use, in his own home?

 

I doubt that many people think further than their router (if they even know what that is!).

Link to comment
Share on other sites

You have to take responsibility for securing your access.

 

If the product acted in a more draconian way and forced you to specifically allow access to all devices all the time then the feature would be dismissed as "not working" by the majority of people who tried to use it because they wouldn't understand that they needed to do this.

 

Security vs. ease of use/access is always a delicate balance.

Link to comment
Share on other sites

I do understand. The whole out of box experience is great. It just works! 

 

My point here, though - is how many people actually want WAN access? Those who don't most likely don't even know that such is possible. Now they have no idea that they are being opened up to external influence?

 

Either way an enforced password (at least for admin level accounts!) would be something everyone is familiar with, and at least provide a modicum of protection?

Link to comment
Share on other sites

Or some kind of question in the setup wizard that asks "Do you want your server accessible from the internet?" If no, automatically disallow any connections from IP ranges outside the internal LAN address range (internal server IP range), if yes maybe do one of the following:

  • Provide some kind of pin that is required for first time connection of each new device
  • Prompt (via dashboard notification) for each new device to be allowed/denied access
  • Prompt for a required master password in settings for the initial account at least
  • At least show a page warning the user that they need to consider the security implications of allowing internet access and the related configurations that might affect them

I am not sure if you are familiar with XAMPP and the like, but the first, post-installation, run gives you a box with red yellow and green warnings regarding security. Something like that might be effective too.

 

I am not trying to be difficult or push my point here. I just feel that putting this kind of responsibility on potentially uninformed users is kind of irresponsible. Especially that considering those who do know what DDNS and port forwarding are (and who would generally be the kind of people that WOULD want to access their server remotely) would be more inclined to lock things down, whereas those who do not would not even consider it.

 

At the end of the day, this is just my opinion and I understand that you, as the developers of this application, have your own reasons for doing things a certain way. So I will stop pressing the issue now. It does not even affect me. Just had to add my bit. Hope I am not being annoying.

Edited by tarnalcock
Link to comment
Share on other sites

Or some kind of question in the setup wizard that asks "Do you want your server accessible from the internet?" If no, automatically disallow any connections from IP ranges outside the internal LAN address range (internal server IP range), if yes maybe do one of the following:

 

I think the wizard does ask this (or at least used to) and we don't have to block IP ranges, we just don't open the port.  If the port is not open then no one can see your server from the outside in the first place.

 

Also, there is a check box in settings to enable/disable automatic port mapping (maybe a better description of what this really means is warranted).

 

However, none of this would have addressed this specific instance which was a case of one Emby user actually being assigned another Emby user's old IP address before the system was able to adjust to the change.

Link to comment
Share on other sites

Deathsquirrel

You have to take responsibility for securing your access.

 

If the product acted in a more draconian way and forced you to specifically allow access to all devices all the time then the feature would be dismissed as "not working" by the majority of people who tried to use it because they wouldn't understand that they needed to do this.

 

Security vs. ease of use/access is always a delicate balance.

 

I haven't installed a fresh server too recently so just to confirm, neither opening the server to the internet by modifying firewall rules nor using Emby Connect are default behaviors correct?  These are things a user enables themselves?

Link to comment
Share on other sites

Opening the firewall is definitely a default behavior because there is no way the server can work without it.  However, I think depending on the user's security level settings, they almost always will get a prompt from that firewall that they have to respond to.

Link to comment
Share on other sites

Deathsquirrel

Opening the firewall is definitely a default behavior because there is no way the server can work without it.  However, I think depending on the user's security level settings, they almost always will get a prompt from that firewall that they have to respond to.

 

Yes, my bad.  Opening a port on the router/firewall not the local windows software firewall.  I wasn't specific.  Does Emby default to modifying your router rules to open an inbound port from the internet?  I know at one point it did but thought that had been switched to a manually activated option.

Link to comment
Share on other sites

Luke will have to confirm but I think it asks you the question Tarnal suggested above - something to the effect of "Do you want to be able to access Emby from ...".

Link to comment
Share on other sites

youngsheehans
...

 

However, none of this would have addressed this specific instance which was a case of one Emby user actually being assigned another Emby user's old IP address before the system was able to adjust to the change.

 

There seems to be some misunderstanding, perhaps by me, of what actually happened and should happen.

 

  • LAN

    My Server(s) presence are broadcast within the same network as the client(s). Authentication is by connection to the same network (i.e. if i've let a bad guy onto my home wifi, thats my fault) AND Emby Server Logins 

  • WAN

    My Server(s) presense is notified to the Emby Connect Server for any Emby Server Logins with associated Emby Connect. Authentication is by Emby Connect username & password associated either with an Emby Server Login OR an Emby Server Login having issued an invitation

  • The Bug

    The WAN connection from my network out to someone elses appeared to validate an Emby Connect user by Public IP. It should(?yes/no?) have authenticated by Emby Connect username & password (I was never prompted for a password) AND confirmation from "Alex"'s Emby Server that my Emby Connect still associated back to an Emby Server Login.

 

The public facing router settings that allow web interface access shouldnt be of interest to Emby... if I'm going to do that, that's my responsibility. My guess was Emby Connect operates using private-shared-public-key encryption and so is different to the LAN web services / web interface?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...