Jump to content

Media streams are not secure

Recommended Posts

I like Emby enough that I bought a premiere license a while back but after discovering what I believe is a major security hole I'm rethinking using the server. Media streams do not require authentication.


Steps to reproduce (using version

Note: this example is using a video but the problem persists for all content types.

  1. Log into Emby from your browser (in this example, Chrome).
  2. Open the developer tools -> Network tab.
  3. Filter the traffic by "stream.mov".
  4. Play any video and you should see a GET request show up.
  5. Copy the entire "stream.mov" URL.
  6. Fully clear your browser.
  7. Paste in the copied URL.
  8. Bam, video downloads without any type of authentication.

Users can copy & paste this link, allowing unauthenticated sharing.


Since it's a GET request anyone can sniff the requested URL, regardless of HTTP/S, and grab whatever you're watching.

  • After NomadCF's reply & more research I found the rest of the URL is not accessible over HTTPS. So this concern is void.

I can't be the first to notice this. Suggestions welcome; No I can't force all users through a VPN.

Edited by Embite
  • Like 1
Link to post
Share on other sites

Its always been this way, security in emby is questionable from a few stand points especially when it comes to the streams. But if you force everything over ssl "this" "problem" become non existant. As unless a user is connecting via a device that is setup to allow a man in the middle scanner (SSL inspection). Then no one but the client (and server) could/can see the GET info. The only thing they could see is the domain FQDN and the port.  

Link to post
Share on other sites

Thanks NomadCF,


Yes, I assumed the rest of the URL could be seen, which after a little more research I found was incorrect. So that does plug one of the concerns.


But - Users that know how to use the dev tools can simply copy & paste a link somewhere/to other people that would allow unauthenticated downloads. That is still a problem.

Edited by Embite
Link to post
Share on other sites

Since we have to be able to use a wide gamut of players for these streams, I'm not sure we could make them completely "secure".


Again, though, being secure and being usable is a balancing act and some of the responsibility for security has to fall on the local configuration.

Link to post
Share on other sites

The url contains a security token as well. It will not last forever and the request will be rejected when it expires.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...