Jump to content


Photo

Media streams are not secure

Streaming Security

  • Please log in to reply
5 replies to this topic

#1 Embite OFFLINE  

Embite

    Member

  • Members
  • 12 posts
  • Local time: 11:52 AM

Posted 05 July 2018 - 05:04 PM

I like Emby enough that I bought a premiere license a while back but after discovering what I believe is a major security hole I'm rethinking using the server. Media streams do not require authentication.

 

Steps to reproduce (using version 3.4.1.0):

Note: this example is using a video but the problem persists for all content types.

  1. Log into Emby from your browser (in this example, Chrome).
  2. Open the developer tools -> Network tab.
  3. Filter the traffic by "stream.mov".
  4. Play any video and you should see a GET request show up.
  5. Copy the entire "stream.mov" URL.
  6. Fully clear your browser.
  7. Paste in the copied URL.
  8. Bam, video downloads without any type of authentication.

Users can copy & paste this link, allowing unauthenticated sharing.

 

Since it's a GET request anyone can sniff the requested URL, regardless of HTTP/S, and grab whatever you're watching.

  • After NomadCF's reply & more research I found the rest of the URL is not accessible over HTTPS. So this concern is void.

I can't be the first to notice this. Suggestions welcome; No I can't force all users through a VPN.


Edited by Embite, 05 July 2018 - 05:52 PM.

  • darkassassin07 likes this

#2 NomadCF OFFLINE  

NomadCF

    Advanced Member

  • Members
  • 117 posts
  • Local time: 04:52 PM

Posted 05 July 2018 - 05:37 PM

Its always been this way, security in emby is questionable from a few stand points especially when it comes to the streams. But if you force everything over ssl "this" "problem" become non existant. As unless a user is connecting via a device that is setup to allow a man in the middle scanner (SSL inspection). Then no one but the client (and server) could/can see the GET info. The only thing they could see is the domain FQDN and the port.  



#3 Embite OFFLINE  

Embite

    Member

  • Members
  • 12 posts
  • Local time: 11:52 AM

Posted 05 July 2018 - 05:48 PM

Thanks NomadCF,

 

Yes, I assumed the rest of the URL could be seen, which after a little more research I found was incorrect. So that does plug one of the concerns.

 

But - Users that know how to use the dev tools can simply copy & paste a link somewhere/to other people that would allow unauthenticated downloads. That is still a problem.


Edited by Embite, 05 July 2018 - 05:51 PM.


#4 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 50725 posts
  • Local time: 12:52 PM

Posted 06 July 2018 - 09:17 AM

Since we have to be able to use a wide gamut of players for these streams, I'm not sure we could make them completely "secure".

 

Again, though, being secure and being usable is a balancing act and some of the responsibility for security has to fall on the local configuration.



#5 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 152577 posts
  • Local time: 12:52 PM

Posted 06 July 2018 - 01:09 PM

The url contains a security token as well. It will not last forever and the request will be rejected when it expires.

#6 Embite OFFLINE  

Embite

    Member

  • Members
  • 12 posts
  • Local time: 11:52 AM

Posted 06 July 2018 - 01:56 PM

Thanks Luke, also good to know.







Also tagged with one or more of these keywords: Streaming, Security

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users