pünktchen 1313 Posted April 9, 2020 Posted April 9, 2020 When the Emby server is exposed to the public net, then every item image is accessible without authentication or api key! This is especially critical if someone has private photo libraries in Emby. With a simple brute force attack to http://{public domain}/emby/items/{increment number}/images/primary it's possible to compromise every piece of someone's private life. This has to be fixed immediately! 4 4
Luke 38533 Posted April 9, 2020 Posted April 9, 2020 This is the last api left that doesn't require an api key, and yes it should be changed. Apps will need updating first though.
neik 860 Posted April 9, 2020 Posted April 9, 2020 (edited) This is the last api left that doesn't require an api key, and yes it should be changed. Apps will need updating first though.Well, then this should be Prio 1 otherwise inform your Premier users to avoid camera upload as their pictures could get exposed in the internet. Sorry, but this is critical! Edited April 9, 2020 by neik 1
TeamB 2386 Posted April 10, 2020 Posted April 10, 2020 add api_key to all images will effect clients a lot, not just from an access point of view but also for caching the images for future use as the URLs of images would change with Token changes and for each user. Perhaps user supplied images for photo albums needs to be treated differently then item artwork 1
rechigo 294 Posted April 10, 2020 Posted April 10, 2020 It would also require plugins that post new content notifications to external sources to upload thumb images to services like imgur to avoid exposing server URLs with API keys
whiteone69 0 Posted June 1, 2021 Posted June 1, 2021 I still see this happening on version 4.6.2.0. Are there still plans to have this fixed?
Luke 38533 Posted June 1, 2021 Posted June 1, 2021 We'd have to rework the apps first to start updating their image urls, and unfortunately it would break older versions of apps that can't be updated anymore. But yes it's something that can be done.
pünktchen 1313 Posted July 9, 2021 Author Posted July 9, 2021 On 6/1/2021 at 8:00 PM, Luke said: We'd have to rework the apps first to start updating their image urls, and unfortunately it would break older versions of apps that can't be updated anymore. But yes it's something that can be done. Over a year is plenty of time to get this done!!! As for the client versions, what would be a simple solution is to provide a new network setting (default to off) "Force authentication for image requests in remote sessions". This way if clients connect to the server, they would know by the system info how to make a request and the server admin can choose this option if he know all his user client apps support authentication also for images.
Luke 38533 Posted July 9, 2021 Posted July 9, 2021 Quote what would be a simple solution is to provide a new network setting (default to off) "Force authentication for image requests in remote sessions". Yes something like that is what we would have to do.
visproduction 182 Posted July 11, 2022 Posted July 11, 2022 I think that part of the issue is the time to load the page with jpg restricted. Apparently, a request like this causes the page to require an image permissions check for each image which slows the page load by perhaps 1 second per 20 thumbnail images. Are you seriously willing to live with that? Maybe there is a way out. Here is a discussion. I am not sure it applies with Emby code. https://stackoverflow.com/questions/3990337/how-to-protect-against-direct-access-to-images
Luke 38533 Posted December 15, 2022 Posted December 15, 2022 30 minutes ago, DJX said: Any update on this one? Hi, not yet, sorry.
davidecavestro 0 Posted July 22, 2023 Posted July 22, 2023 (edited) This is my experience: started emby shared link to a sample image saw the link was accessible without any auth check stopped emby Definitely embarrassing....I must suppose Emby is meant for other usages Edited July 22, 2023 by davidecavestro
Luke 38533 Posted July 22, 2023 Posted July 22, 2023 11 hours ago, davidecavestro said: This is my experience: started emby shared link to a sample image saw the link was accessible without any auth check stopped emby Definitely embarrassing....I must suppose Emby is meant for other usages HI, it's only images that this is possible with, and we are working on resolving it. Thanks.
CatSama 1 Posted July 22, 2023 Posted July 22, 2023 After 3 years ,they are still working on it. I will never allow my private photos to be exposed on the public internet. So, whatever. You don't fix it, I don't use it. I will unfllow this topic.
geppii 2 Posted August 26, 2023 Posted August 26, 2023 (edited) Edit: Wrong Thread, sorry. Edited August 26, 2023 by geppii
pünktchen 1313 Posted October 17, 2023 Author Posted October 17, 2023 This will probaly take some more years to get solved, but @Lukecould you at least please make sure that every client request is sending the deviceId either in the query string or in the headers?! This way i one could easily block unwanted requests in a proxy software.
Junglejim 373 Posted October 20, 2023 Posted October 20, 2023 On 23/07/2023 at 05:44, CatSama said: After 3 years ,they are still working on it. I will never allow my private photos to be exposed on the public internet. So, whatever. You don't fix it, I don't use it. I will unfllow this topic. Uploading photos from phones/PC etc. from multiple clients is a totally stupid idea that these dev's can't or wont remove! SAD!!
bakes82 133 Posted October 23, 2023 Posted October 23, 2023 But guess what, you can change the accent colors in 4.8!!!
Luke 38533 Posted October 23, 2023 Posted October 23, 2023 On 10/20/2023 at 6:58 AM, Junglejim said: Uploading photos from phones/PC etc. from multiple clients is a totally stupid idea that these dev's can't or wont remove! SAD!! The camera upload feature has nothing to do with this topic.
Junglejim 373 Posted October 23, 2023 Posted October 23, 2023 1 hour ago, Luke said: The camera upload feature has nothing to do with this topic. I think it does, private photos shouldn't be uploaded in the first place. I'd go as far as saying Emby doesn't need a personal photo library at all with so many other ways to host your photos.
Luke 38533 Posted October 23, 2023 Posted October 23, 2023 2 minutes ago, Junglejim said: I think it does, private photos shouldn't be uploaded in the first place. I'd go as far as saying Emby doesn't need a personal photo library at all with so many other ways to host your photos. It doesn't relate. This topic is about downloading images from the server, not adding new ones. But since you're on the topic, the camera upload feature is off by default, users have to opt-in into it, they have to go through the permission request on the device so that the app can access the photos, and then they have to select what folders from the device they want to upload. So it is the user's choice, and in the upcoming 4.8 server release, there is a new user permission for it to block the uploads from getting into the server.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now