When the Emby server is exposed to the public net, then every item image is accessible without authentication or api key! This is especially critical if someone has private photo libraries in Emby. With a simple brute force attack to http://{public domain}/emby/items/{increment number}/images/primary it's possible to compromise every piece of someone's private life. This has to be fixed immediately!