Embite 1 Posted July 5, 2018 Posted July 5, 2018 (edited) I like Emby enough that I bought a premiere license a while back but after discovering what I believe is a major security hole I'm rethinking using the server. Media streams do not require authentication. Steps to reproduce (using version 3.4.1.0): Note: this example is using a video but the problem persists for all content types. Log into Emby from your browser (in this example, Chrome). Open the developer tools -> Network tab. Filter the traffic by "stream.mov". Play any video and you should see a GET request show up. Copy the entire "stream.mov" URL. Fully clear your browser. Paste in the copied URL. Bam, video downloads without any type of authentication. Users can copy & paste this link, allowing unauthenticated sharing. Since it's a GET request anyone can sniff the requested URL, regardless of HTTP/S, and grab whatever you're watching. After NomadCF's reply & more research I found the rest of the URL is not accessible over HTTPS. So this concern is void.I can't be the first to notice this. Suggestions welcome; No I can't force all users through a VPN. Edited July 5, 2018 by Embite 1
NomadCF 15 Posted July 5, 2018 Posted July 5, 2018 Its always been this way, security in emby is questionable from a few stand points especially when it comes to the streams. But if you force everything over ssl "this" "problem" become non existant. As unless a user is connecting via a device that is setup to allow a man in the middle scanner (SSL inspection). Then no one but the client (and server) could/can see the GET info. The only thing they could see is the domain FQDN and the port.
Embite 1 Posted July 5, 2018 Author Posted July 5, 2018 (edited) Thanks NomadCF, Yes, I assumed the rest of the URL could be seen, which after a little more research I found was incorrect. So that does plug one of the concerns. But - Users that know how to use the dev tools can simply copy & paste a link somewhere/to other people that would allow unauthenticated downloads. That is still a problem. Edited July 5, 2018 by Embite
ebr 15650 Posted July 6, 2018 Posted July 6, 2018 Since we have to be able to use a wide gamut of players for these streams, I'm not sure we could make them completely "secure". Again, though, being secure and being usable is a balancing act and some of the responsibility for security has to fall on the local configuration.
Luke 40006 Posted July 6, 2018 Posted July 6, 2018 The url contains a security token as well. It will not last forever and the request will be rejected when it expires.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now