I like Emby enough that I bought a premiere license a while back but after discovering what I believe is a major security hole I'm rethinking using the server. Media streams do not require authentication.
Steps to reproduce (using version 126.96.36.199):
Note: this example is using a video but the problem persists for all content types.
- Log into Emby from your browser (in this example, Chrome).
- Open the developer tools -> Network tab.
- Filter the traffic by "stream.mov".
- Play any video and you should see a GET request show up.
- Copy the entire "stream.mov" URL.
- Fully clear your browser.
- Paste in the copied URL.
- Bam, video downloads without any type of authentication.
Users can copy & paste this link, allowing unauthenticated sharing.
Since it's a GET request anyone can sniff the requested URL, regardless of HTTP/S, and grab whatever you're watching.
- After NomadCF's reply & more research I found the rest of the URL is not accessible over HTTPS. So this concern is void.
I can't be the first to notice this. Suggestions welcome; No I can't force all users through a VPN.
Edited by Embite, 05 July 2018 - 05:52 PM.