boomer41 3 Posted August 1, 2017 Share Posted August 1, 2017 (edited) Good Day, As I was reading through the code of the media server, I found the following privacy and security issues: Unique device ids + user account names sent to mb3admin.com.Each device is generating a unique device id, which is then sent to mb3admin.com. This does also include the server's unique key and the user's username. This allows per user and per device tracking including public ip adresses. I understand that this is used to verify premiere licenses. But please proxy these requests through your local emby server - or even better - check those licenses locally. If you want to say that this is then easily crackable, please read until the end. "GET /admin/service/registration/validateDevice?serverId=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&deviceId=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY&embyUserName=XXXXXX&deviceName=Chrome&appName=Emby%20Mobile&appVersion=3.2.26.0 HTTP/1.1" 200 31 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Removing mobile app statistics collection or implementing an opt-in/out feature Please read ebr's answer to this point. Currently the Android mobile app sends statistics to mb3admin.com, whereas there is no notice to the user that data is sent nor is there an opt-in/out setting. This is definitivly violating the user's privacy. Please create a setting to opt-in to send statistics. opt-out would also be ok if you inform the user before sending any data. And again, this leaks the user's public ip adress "GET /admin/service/statistics/appAccess HTTP/1.1" 200 0 Emby server "registers" with Emby connect using the server's unique keyPlease only register with emby connect when there are actual users with an emby premiere email attached. This also leaks the server's unique key and enables tracking. Info HttpClient: HttpClientManager POST: https://connect.emby.media/service/Servers?id=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Info HttpClient: HttpClientManager GET: https://connect.emby.media/service/ServerAuthorizations?serverId=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Adding HTTPS certificate validationCurrently, the Emby-Server does not even bother to check the validity of the mb3admin.com-certificate. With that said, it is very easy to redirect victims to a malicious proxy, which then sends malware packaged in plugin updates. There is no validation of these plugins.The Android-App asks me in this case to trust the new emby server? What the hell? Some words about product piracyAs I already mentioned, you want people to support this product. This is absolutely fine! The only problem is your style of enforcing the restrictions. I understand that you don't want people to sell emby premiere to thousands of users, and thus need to check whether this is the case. But you can also do this locally, as both systems are easy(!) to crack. People who want to support this software will buy it either, because it is freakin' awesome! And there will always be black-hats cracking it in 5 minutes.Please focus on privacy, not on tracking the hell out of people. Thanks. Stephan Edited August 1, 2017 by boomer41 3 Link to comment Share on other sites More sharing options...
ebr 14910 Posted August 1, 2017 Share Posted August 1, 2017 Removing mobile app statistics collection or implementing an opt-in/out feature Currently the Android mobile app sends statistics to mb3admin.com, whereas there is no notice to the user that data is sent nor is there an opt-in/out setting. This is definitivly violating the user's privacy. Please create a setting to opt-in to send statistics. opt-out would also be ok if you inform the user before sending any data. And again, this leaks the user's public ip adress "GET /admin/service/statistics/appAccess HTTP/1.1" 200 0 Despite the url, this is not statistics collection. This is validation for people who purchased a previous developer's version of the app. It allows us to give them access without having to re-purchase. Statistics collection does have an opt in/out setting on the server and is run through the server. For more information on our privacy policy, please see here. 1 Link to comment Share on other sites More sharing options...
boomer41 3 Posted August 1, 2017 Author Share Posted August 1, 2017 Hi ebr, Thanks for clarification, post edited. Greetings Link to comment Share on other sites More sharing options...
Luke 37060 Posted August 1, 2017 Share Posted August 1, 2017 For the android mobile one now that we are doing store vouchers instead, eventually that will be able to just go away, but not yet. Link to comment Share on other sites More sharing options...
Untoten 296 Posted August 5, 2017 Share Posted August 5, 2017 +1 Link to comment Share on other sites More sharing options...
Baenwort 97 Posted September 12, 2017 Share Posted September 12, 2017 Any change in plug in validation and security certs? Link to comment Share on other sites More sharing options...
Luke 37060 Posted September 13, 2017 Share Posted September 13, 2017 Yes, with the .NET Core version of the server it will be validating certs. It is only for linux and mac distributions based on mono that we've had to do that. over the next several weeks our releases will begin changing over from mono to .net core. thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now