This is a very serious security bug:
1. Downloaded stable Version 3.0.5882.0 (Windows 7)
2. Go through setup. I already had an account created with Emby therefore added my email address and approved in email.
3. Was asked to create a user (User1) in one of the next steps.
4. Setup libraries, setup https access (all through remote access software)
5. Now to the bad part - to my extreme surprise, when I went to my external address (keep in mind I am not even at my house while setting this up) and I have never logged on to Emby before from this computer, to my surprise I am presented with "User1" big button in the middle and there is no password required to manage entire library! How in the world the Admin user is accessing through external address and allow user account to manage without a password?
P.S. Of course I have added password and edited account to be removed from the login screen, however not everyone without the knowledge would ever be able to know that they just exposed their media administrator to the entire world who can delete entire library with a few button clicks.
Edited by djandrius, 11 March 2016 - 02:12 PM.