When the Emby server is exposed to the public net, then every item image is accessible without authentication or api key!
This is especially critical if someone has private photo libraries in Emby.
With a simple brute force attack to
http://{public domain}/emby/items/{increment number}/images/primary
it's possible to compromise every piece of someone's private life.
This has to be fixed immediately!