Jump to content
Sign in to follow this  
djandrius

Password Not Required

Recommended Posts

djandrius

This is a very serious security bug:

 

1. Downloaded stable Version 3.0.5882.0 (Windows 7)

2. Go through setup. I already had an account created with Emby therefore added my email address and approved in email.

3. Was asked to create a user (User1) in one of the next steps.

4. Setup libraries, setup https access (all through remote access software)

5. Now to the bad part - to my extreme surprise, when I went to my external address (keep in mind I am not even at my house while setting this up) and I have never logged on to Emby before from this computer, to my surprise I am presented with "User1" big button in the middle and there is no password required to manage entire library! How in the world the Admin user is accessing through external address and allow user account to manage without a password?

 

P.S. Of course I have added password and edited account to be removed from the login screen, however not everyone without the knowledge would ever be able to know that they just exposed their media administrator to the entire world who can delete entire library with a few button clicks.

Edited by djandrius

Share this post


Link to post
Share on other sites
Luke

Hi, welcome. Just create a password for that user and that will prevent access without a password. In the future we probably will revise this to encourage or require a password.

Share this post


Link to post
Share on other sites
djandrius

As I mentioned, I immediately created a password for that user. I am not new to the scene and I have tested MediaBrowser previously, only new to Emby.

 

If password is "empty/unset" access through external IP should be disabled by default...

Share this post


Link to post
Share on other sites
FrostByte

In the future we probably will revise this to encourage or require a password.

 

Not requiring a pw is kind of nice with just one user and using local access only.  Entering a pw is kind of a pita with some TV remotes.  I suppose a simple pw or pin wouldn't be too bad though if required.

Share this post


Link to post
Share on other sites
Redshirt

Not requiring a pw is kind of nice with just one user and using local access only.  Entering a pw is kind of a pita with some TV remotes.  I suppose a simple pw or pin wouldn't be too bad though if required.

 

You can set up a password and then set an empty pin code.  That will allow local sign-in without a password, but still require one signing in remotely.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...