Security concerns

[arcooke 2]

Hi.  I'm just getting Emby set up for the first time and I've run into some rather alarming security concerns, and a whole lot of account and authentication issues.

 

With a default installation and "hide my profile icon" disabled, if my server is opened to the outside world, anyone in the world can click the profile icon and watch movies, but they can also get into the administration panel and manage the server.  No logging in necessary.  No authentication needed whatsoever.  The "Hide my profile" checkbox is so much more than that.. it's more like a "Don't let the public access my account" checkbox.

 

I tested this using my phone with wifi disabled, with my VPN turned on, and a browser in private mode so all sessions and cookies are unloaded.  What the heck?!  First of all, it shouldn't ever be possible to get into an account without any authentication.  Ever.  Period.  But the server administration panel?!  They have full access to the server configuration, including the certificate.  I give Emby read-only access to content on my NAS, but if I allowed write access, anyone in the world could delete my media.

 

A less experienced user may not realize the potential here, or think to check.  An attacker could delete their entire media library.  This is a really big problem.

 

 

See below (I can't take screenshots in private browsing mode, had to take photo) 

1) On my public domain

2) VPN connected (green dot)

3) Brave Browser in private browsing mode with no cookies or session data

4) Wifi disconnected, off LAN, using cellular data

5) No username or password was ever entered in the private browser.

6) I'M EDITING MY FREAKING CERTIFICATE SETTINGS

 

 

 

 

Alarming issue #2:

 

I invited my friend through Emby Connect yesterday.  He was having trouble accessing my server through his emby connect account, so at some point he used the manual add server option using my domain and port.  Suddenly, he's logged in as ME on his Roku.  He sent me a photo of his TV.. it showed my avatar and my name on his TV; on a different network, in another state.  How on earth did he manage to get into my personal Emby account without every being given a password?   I think this is directly connected to the first issue above.

 

 

What on earth is up with this?  Are there any other threads open that are discussing this issue?  If not, this needs to be talked about

[ebr 14910]

Hi. Did you setup an admin account and NOT give it a password?

[mastrmind11 717]

set up a password for your admin account.  plenty of experienced, tech and security savvy, long time users would have come across this already if it were an actual defect, and would most certainly have been talked about.

[arcooke 2]

Hi. Did you setup an admin account and NOT give it a password?

 

I set up an initial account during the setup wizard and filled in the boxes it gave me to fill in.  Then I immediately connected it to my Emby Connect account from the user settings page.  At that point I assumed I was all set up, with my new user linked to my Emby Connect account.  If these accounts are separate, that explains a lot of confusion with the account management in Emby. Nothing along the way hinted to me that there was any need for a 2nd password beyond linking my Emby Connect account.  Usually account linking takes care of the auth side of things.

 

The initial account created in the setup wizard doesn't even give you an option to set up a password if I recall correctly, only a name to identify you by.. but that account is given full rights by default.  I don't remember ever being told or suggested that I need to set up another password for the account.  Remember, by this point I assumed auth was taken care of by Emby Connect.  Either way though, under no circumstance should a server admin dashboard be accessible without a password.  An admin account without a password should be impossible under any scenario.

 

There needs to be clearer information how this is supposed to work, and it should enforce a password if the initial account is intended as an admin account. 

[mastrmind11 717]

 Either way though, under no circumstance should a server admin dashboard be accessible without a password.  An admin account without a password should be impossible under any scenario.

 

This I 100% agree with.

[arcooke 2]

Do you see where I'm coming from with the confusion regarding authentication?  I still see this as a pretty big problem.

 

Think about Plex for example

* You create a plex.tv account, set up your server, then connect your server to your plex.tv account.  Everything auths through your plex.tv account.

 

With Emby

* You create an emby.media account, set up your server, create a user, connect the user to emby.media account.  You can access your server through your emby.media account.

 

So far, pretty much the same.  I think it's fair to assume that by linking your local user with your emby.media account, Emby Connect handles your authentication for that user.  That's how it works on most services like this, and that's how it seems to work with Emby up until this point.

 

By now, I have a local user account on my Emby server, which is linked to my Emby Connect account.  I am signed in on my Nvidia Shield, I'm signed in on my phone.  As far as I'm concerned, everything seems to be set up how it should be.  

 

Then I decide to do an access test off-network, and suddenly realize anyone in the world can log into my admin dashboard because Emby Connect isn't managing authentication.  And it's accepting passwordless logins on top of it (I guess?).  Nothing during the setup procedure hinted at the fact that your local emby accounts need separate passwords.  I suspect there are other users out there who have their admin dashboards wide open right now.. luckily I caught it early.

 

 

I got it all figured out, but it wasn't straightforward and there seems to be potential for some pretty nasty attacks if someone were to accidentally leave this open not realizing their account doesn't require a password.

Edited March 12, 2019 by arcooke

[adamstewiegreen 147]

I also assumed what arcooke assumed, that my emby connect was authenticating my admin account.  I did the same test he did and easily got into my emby admin with no password, username or even emby connect, just my address.

 

Big thanks to @@arcooke for pointing this out, I now have a password for my admin account. /facepalm

 

Lucky for me my server is hidden behind a VPN 95% of the time.

[pir8radio 1292]

The main reason people like emby is because you are not required to authenticate through emby's third party servers like plex does.  You can authenticate directly to your server.   Emby offers both ways.     

 

Maybe emby can add a "warning" to set a password, as part of the setup wizard?

Edited March 13, 2019 by pir8radio

[arcooke 2]

I understand that now, but as a new user coming from Plex, Emby offers just enough similar functionality to assume it works the same.  And that assumption is extremely dangerous because it can leave your server open to attack because Emby isn't instructing users to secure their admin account.

I definitely think there needs to be some better password enforcement and clearer information about how Emby Connect works (and doesn't work).  I suspect there are a lot of people like myself and @@adamstewiegreen who accidentally left it wide open assuming the central account is all we needed.  Allowing access to anything without a password is totally baffling to me.  If there's ever a situation where an account can accessed without a password, it needs to be explicitly opt-in by the user so there's no question.

 

If you guys can temporary forget everything you know about Emby and approach it as a new user getting set up for the first time, I think you'll see how easy it is to miss this. 

[mastrmind11 717]

yes, we're all agreeing with you.

[notla49285 46]

I think there seems to be a flaw where the Emby Connect user has a password but your Emby Server user does not. Therefore, navigating to your domain (if you have one) will go directly to your server and therefore allow login without a password, navigating to the server via it's IP address be that via a web browser or a device such as a Roku would do the same, however visiting emby.media should still force a password as you'll be using your Emby Connect credentials. Presumably your local server user has a much simpler username (e.g. Dave) whereas your Emby Connect user is different (arcooke).

 

Immediate fix is to change your Emby Server user's password via Dashboard -> Users -> Password. I presume you'd leave the "Current password" as blank and just set the "New password" and "New password confirm".

 

Long term, Emby devs need to make it impossible to have a server admin without a password and also if there is only one user on the server they must also have a password. Normally I'd have a go at the user for not setting their passwords properly but I do admit with this one there can be confusion between local users and Emby Connect Users :/

Edited March 13, 2019 by notla49285

[ebr 14910]

Long term, Emby devs need to make it impossible to have a server admin without a password and also if there is only one user on the server they must also have a password. Normally I'd have a go at the user for not setting their passwords properly but I do admit with this one there can be confusion between local users and Emby Connect Users :/

 

I don't think we have to be that strict.  Some people may be setting up a completely private server for just them and don't want to have to deal with passwords.

 

Two things should help address this:

 

1) We are working on re-designing the whole "Connect" thing to be much simpler so that this type of confusion cannot happen

2) We should probably require all admin accounts (perhaps even all accounts) to have a password necessary for remote access.

[notla49285 46]

2) We should probably require all admin accounts (perhaps even all accounts) to have a password necessary for remote access.

 

This would be a better idea to be fair, in case of private servers

[pir8radio 1292]

If you guys can temporary forget everything you know about Emby and approach it as a new user getting set up for the first time, I think you'll see how easy it is to miss this. 

 

 

lol sorry I just had to point out the irony in this line...   Your whole argument is based on "plex does it this way so I assumed it was the same".    Think if you would have taken your own advice you probably would have set a password...   

 

But i'm not hatein' I agree there should at least be a warning..   Like some of these new wifi routers, that say "don't forget to set a wifi password or your stuff will be wide open".

Edited March 13, 2019 by pir8radio

[adamstewiegreen 147]

I'm not sure how long mine didn't have a password.  It was probably only from the switch to Emby 4 since I started from scratch because I had some issues upgrading.  I - personally - wouldn't use the "plex does it this way..." argument, I just think if something that important is easy to miss it probably should be addressed.

 

I don't blame Emby either, it's my responsibility.

[Gilgamesh_48 943]

...

Your whole argument is based on "plex does it this way so I assumed it was the same".    Think if you would have taken your own advice you probably would have set a password...   

...

 

I just want to point out that doing just about anything in a particular way because Plex does it that way is almost certainly to be a mistake. Plex places monetary gain first and everything about users, including security, second. Plex's security model may work and be very secure BUT it is well to think everything through independently and not copy Plex's methods.

 

Plex does many things right and many things wrong the trick is knowing which is which.

 

Also it is best practice to go into any new application with no assumptions about how it does or does not work.