Images don't require api_key

[pünktchen 1258]

When the Emby server is exposed to the public net, then every item image is accessible without authentication or api key!

This is especially critical if someone has private photo libraries in Emby.

With a simple brute force attack to

http://{public domain}/emby/items/{increment number}/images/primary

it's possible to compromise every piece of someone's private life.

This has to be fixed immediately!
 

[Luke 37050]

This is the last api left that doesn't require an api key, and yes it should be changed. Apps will need updating first though.

[neik 837]

This is the last api left that doesn't require an api key, and yes it should be changed. Apps will need updating first though.

Well, then this should be Prio 1 otherwise inform your Premier users to avoid camera upload as their pictures could get exposed in the internet.

 

Sorry, but this is critical!

Edited April 9, 2020 by neik

[TeamB 2352]

add api_key to all images will effect clients a lot, not just from an access point of view but also for caching the images for future use as the URLs of images would change with Token changes and for each user.

 

Perhaps user supplied images for photo albums needs to be treated differently then item artwork

[rechigo 293]

It would also require plugins that post new content notifications to external sources to upload thumb images to services like imgur to avoid exposing server URLs with API keys

[whiteone69 0]

I still see this happening on version 4.6.2.0.  Are there still plans to have this fixed?

[Luke 37050]

We'd have to rework the apps first to start updating their image urls, and unfortunately it would break older versions of apps that can't be updated anymore. But yes it's something that can be done.

[pünktchen 1258]

On 6/1/2021 at 8:00 PM, Luke said:

We'd have to rework the apps first to start updating their image urls, and unfortunately it would break older versions of apps that can't be updated anymore. But yes it's something that can be done.

Over a year is plenty of time to get this done!!!
As for the client versions, what would be a simple solution is to provide a new network setting (default to off) "Force authentication for image requests in remote sessions".
This way if clients connect to the server, they would know by the system info how to make a request and the server admin can choose this option if he know all his user client apps support authentication also for images.

[Luke 37050]

Quote

what would be a simple solution is to provide a new network setting (default to off) "Force authentication for image requests in remote sessions".

Yes something like that is what we would have to do.

[p4tr1k 1]

Hi,

is there any update on this issue?

[Luke 37050]

Hi, not yet. On the to do list.

[visproduction 122]

I think that part of the issue is the time to load the page with jpg restricted.  Apparently, a request like this causes the page to require an image permissions check for each image which slows the page load by perhaps 1 second per 20 thumbnail images.  Are you seriously willing to live with that?  Maybe there is a way out.  Here is a discussion.  I am not sure it applies with Emby code.  
https://stackoverflow.com/questions/3990337/how-to-protect-against-direct-access-to-images

[DJX 18]

Any update on this one?

[Luke 37050]

30 minutes ago, DJX said:

Any update on this one?

Hi, not yet, sorry.

[davidecavestro 0]

This is my experience:

1. started emby
2. shared link to a sample  image
3. saw the link was accessible without any auth check
4. stopped emby

Definitely embarrassing....I must suppose Emby is meant for other usages

Edited July 22, 2023 by davidecavestro

[Luke 37050]

11 hours ago, davidecavestro said:

This is my experience:

1. started emby
2. shared link to a sample  image
3. saw the link was accessible without any auth check
4. stopped emby

Definitely embarrassing....I must suppose Emby is meant for other usages

HI, it's only images that this is possible with, and we are working on resolving it. Thanks.

[CatSama 1]

After 3 years ,they are still working on it.

I will never allow my  private photos to be exposed on the public internet.

So, whatever.  You don't fix it, I don't use it.

I will unfllow this topic.

 

 

[geppii 2]

Edit: Wrong Thread, sorry. 

Edited August 26, 2023 by geppii

[DJX 18]

any update on this?

[pünktchen 1258]

This will probaly take some more years to get solved, but
@Lukecould you at least please make sure that every client request is sending the deviceId either in the query string or in the headers?!
This way i one could easily block unwanted requests in a proxy software.

[Junglejim 350]

On 23/07/2023 at 05:44, CatSama said:

After 3 years ,they are still working on it.

I will never allow my  private photos to be exposed on the public internet.

So, whatever.  You don't fix it, I don't use it.

I will unfllow this topic.

 

 

Uploading photos from phones/PC etc. from multiple clients is a totally stupid idea that these dev's can't or wont remove! SAD!!

[bakes82 90]

But guess what, you can change the accent colors in 4.8!!!

[Luke 37050]

On 10/20/2023 at 6:58 AM, Junglejim said:

Uploading photos from phones/PC etc. from multiple clients is a totally stupid idea that these dev's can't or wont remove! SAD!!

The camera upload feature has nothing to do with this topic.

[Junglejim 350]

1 hour ago, Luke said:

The camera upload feature has nothing to do with this topic.

I think it does, private photos shouldn't be uploaded in the first place. I'd go as far as saying Emby doesn't need a personal photo library at all with so many other ways to host your photos.

[Luke 37050]

2 minutes ago, Junglejim said:

I think it does, private photos shouldn't be uploaded in the first place. I'd go as far as saying Emby doesn't need a personal photo library at all with so many other ways to host your photos.

It doesn't relate. This topic is about downloading images from the server, not adding new ones. 

But since you're on the topic, the camera upload feature is off by default, users have to opt-in into it, they have to go through the permission request on the device so that the app can access the photos, and then they have to select what folders from the device they want to upload.  So it is the user's choice, and in the upcoming 4.8 server release, there is a new user permission for it to block the uploads from getting into the server.