Jump to content


Photo

Password Not Required

security

  • Please log in to reply
4 replies to this topic

#1 djandrius OFFLINE  

djandrius

    Member

  • Members
  • 10 posts

Posted 11 March 2016 - 02:09 PM

This is a very serious security bug:

 

1. Downloaded stable Version 3.0.5882.0 (Windows 7)

2. Go through setup. I already had an account created with Emby therefore added my email address and approved in email.

3. Was asked to create a user (User1) in one of the next steps.

4. Setup libraries, setup https access (all through remote access software)

5. Now to the bad part - to my extreme surprise, when I went to my external address (keep in mind I am not even at my house while setting this up) and I have never logged on to Emby before from this computer, to my surprise I am presented with "User1" big button in the middle and there is no password required to manage entire library! How in the world the Admin user is accessing through external address and allow user account to manage without a password?

 

P.S. Of course I have added password and edited account to be removed from the login screen, however not everyone without the knowledge would ever be able to know that they just exposed their media administrator to the entire world who can delete entire library with a few button clicks.


Edited by djandrius, 11 March 2016 - 02:12 PM.


#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 153496 posts
  • Local time: 12:34 AM

Posted 11 March 2016 - 02:14 PM

Hi, welcome. Just create a password for that user and that will prevent access without a password. In the future we probably will revise this to encourage or require a password.



#3 djandrius OFFLINE  

djandrius

    Member

  • Members
  • 10 posts

Posted 11 March 2016 - 02:37 PM

As I mentioned, I immediately created a password for that user. I am not new to the scene and I have tested MediaBrowser previously, only new to Emby.

 

If password is "empty/unset" access through external IP should be disabled by default...



#4 FrostByte OFFLINE  

FrostByte

    Advanced Member

  • ForumMod
  • 4924 posts
  • Local time: 12:34 AM
  • LocationThe UP

Posted 11 March 2016 - 03:02 PM

In the future we probably will revise this to encourage or require a password.

 

Not requiring a pw is kind of nice with just one user and using local access only.  Entering a pw is kind of a pita with some TV remotes.  I suppose a simple pw or pin wouldn't be too bad though if required.



#5 Redshirt OFFLINE  

Redshirt

    Android Adept

  • Alpha Testers
  • 5078 posts
  • Local time: 09:34 PM
  • LocationBritish Columbia, Canada

Posted 11 March 2016 - 03:20 PM

Not requiring a pw is kind of nice with just one user and using local access only.  Entering a pw is kind of a pita with some TV remotes.  I suppose a simple pw or pin wouldn't be too bad though if required.

 

You can set up a password and then set an empty pin code.  That will allow local sign-in without a password, but still require one signing in remotely.


  • FrostByte likes this





Also tagged with one or more of these keywords: security

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users