Media streams are not secure

[Embite 1]

I like Emby enough that I bought a premiere license a while back but after discovering what I believe is a major security hole I'm rethinking using the server. Media streams do not require authentication.

 

Steps to reproduce (using version 3.4.1.0):

Note: this example is using a video but the problem persists for all content types.

1. Log into Emby from your browser (in this example, Chrome).
2. Open the developer tools -> Network tab.
3. Filter the traffic by "stream.mov".
4. Play any video and you should see a GET request show up.
5. Copy the entire "stream.mov" URL.
6. Fully clear your browser.
7. Paste in the copied URL.
8. Bam, video downloads without any type of authentication.

Users can copy & paste this link, allowing unauthenticated sharing.

 

Since it's a GET request anyone can sniff the requested URL, regardless of HTTP/S, and grab whatever you're watching.

• After NomadCF's reply & more research I found the rest of the URL is not accessible over HTTPS. So this concern is void.

I can't be the first to notice this. Suggestions welcome; No I can't force all users through a VPN.

Edited July 5, 2018 by Embite

[NomadCF 15]

Its always been this way, security in emby is questionable from a few stand points especially when it comes to the streams. But if you force everything over ssl "this" "problem" become non existant. As unless a user is connecting via a device that is setup to allow a man in the middle scanner (SSL inspection). Then no one but the client (and server) could/can see the GET info. The only thing they could see is the domain FQDN and the port.  

[Embite 1]

Thanks NomadCF,

 

Yes, I assumed the rest of the URL could be seen, which after a little more research I found was incorrect. So that does plug one of the concerns.

 

But - Users that know how to use the dev tools can simply copy & paste a link somewhere/to other people that would allow unauthenticated downloads. That is still a problem.

Edited July 5, 2018 by Embite

[ebr 14910]

Since we have to be able to use a wide gamut of players for these streams, I'm not sure we could make them completely "secure".

 

Again, though, being secure and being usable is a balancing act and some of the responsibility for security has to fall on the local configuration.

[Luke 37056]

The url contains a security token as well. It will not last forever and the request will be rejected when it expires.

[Embite 1]

Thanks Luke, also good to know.