Jump to content

Recommended Posts

pünktchen
Posted

When the Emby server is exposed to the public net, then every item image is accessible without authentication or api key!

This is especially critical if someone has private photo libraries in Emby.

With a simple brute force attack to

http://{public domain}/emby/items/{increment number}/images/primary

it's possible to compromise every piece of someone's private life.

This has to be fixed immediately!
 

  • Like 4
  • Agree 4
Posted

This is the last api left that doesn't require an api key, and yes it should be changed. Apps will need updating first though.

Posted (edited)

This is the last api left that doesn't require an api key, and yes it should be changed. Apps will need updating first though.

Well, then this should be Prio 1 otherwise inform your Premier users to avoid camera upload as their pictures could get exposed in the internet.

 

Sorry, but this is critical!

Edited by neik
  • Like 1
Posted

add api_key to all images will effect clients a lot, not just from an access point of view but also for caching the images for future use as the URLs of images would change with Token changes and for each user.

 

Perhaps user supplied images for photo albums needs to be treated differently then item artwork

  • Like 1
rechigo
Posted

It would also require plugins that post new content notifications to external sources to upload thumb images to services like imgur to avoid exposing server URLs with API keys

  • 1 year later...
whiteone69
Posted

I still see this happening on version 4.6.2.0.  Are there still plans to have this fixed?

Posted

We'd have to rework the apps first to start updating their image urls, and unfortunately it would break older versions of apps that can't be updated anymore. But yes it's something that can be done.

  • 1 month later...
pünktchen
Posted
On 6/1/2021 at 8:00 PM, Luke said:

We'd have to rework the apps first to start updating their image urls, and unfortunately it would break older versions of apps that can't be updated anymore. But yes it's something that can be done.

Over a year is plenty of time to get this done!!!
As for the client versions, what would be a simple solution is to provide a new network setting (default to off) "Force authentication for image requests in remote sessions".
This way if clients connect to the server, they would know by the system info how to make a request and the server admin can choose this option if he know all his user client apps support authentication also for images.

Posted
Quote

what would be a simple solution is to provide a new network setting (default to off) "Force authentication for image requests in remote sessions".

Yes something like that is what we would have to do.

  • 11 months later...
Posted

Hi,

is there any update on this issue?

Posted

Hi, not yet. On the to do list.

visproduction
Posted

I think that part of the issue is the time to load the page with jpg restricted.  Apparently, a request like this causes the page to require an image permissions check for each image which slows the page load by perhaps 1 second per 20 thumbnail images.  Are you seriously willing to live with that?  Maybe there is a way out.  Here is a discussion.  I am not sure it applies with Emby code.  
https://stackoverflow.com/questions/3990337/how-to-protect-against-direct-access-to-images

  • 5 months later...
Posted
30 minutes ago, DJX said:

Any update on this one?

Hi, not yet, sorry.

  • 7 months later...
davidecavestro
Posted (edited)

This is my experience:

  1. started emby
  2. shared link to a sample  image
  3. saw the link was accessible without any auth check
  4. stopped emby

Definitely embarrassing....I must suppose Emby is meant for other usages

Edited by davidecavestro
Posted
11 hours ago, davidecavestro said:

This is my experience:

  1. started emby
  2. shared link to a sample  image
  3. saw the link was accessible without any auth check
  4. stopped emby

Definitely embarrassing....I must suppose Emby is meant for other usages

HI, it's only images that this is possible with, and we are working on resolving it. Thanks.

Posted

After 3 years ,they are still working on it.🫠

I will never allow my  private photos to be exposed on the public internet.

So, whatever.  You don't fix it, I don't use it.😔

I will unfllow this topic.

 

 

  • 1 month later...
Posted (edited)

Edit: Wrong Thread, sorry. 

Edited by geppii
  • 5 weeks later...
  • 3 weeks later...
pünktchen
Posted

This will probaly take some more years to get solved, but
@Lukecould you at least please make sure that every client request is sending the deviceId either in the query string or in the headers?!
This way i one could easily block unwanted requests in a proxy software.

Junglejim
Posted
On 23/07/2023 at 05:44, CatSama said:

After 3 years ,they are still working on it.🫠

I will never allow my  private photos to be exposed on the public internet.

So, whatever.  You don't fix it, I don't use it.😔

I will unfllow this topic.

 

 

Uploading photos from phones/PC etc. from multiple clients is a totally stupid idea that these dev's can't or wont remove! SAD!!

Posted

But guess what, you can change the accent colors in 4.8!!!

Posted
On 10/20/2023 at 6:58 AM, Junglejim said:

Uploading photos from phones/PC etc. from multiple clients is a totally stupid idea that these dev's can't or wont remove! SAD!!

The camera upload feature has nothing to do with this topic.

Junglejim
Posted
1 hour ago, Luke said:

The camera upload feature has nothing to do with this topic.

I think it does, private photos shouldn't be uploaded in the first place. I'd go as far as saying Emby doesn't need a personal photo library at all with so many other ways to host your photos.

Posted
2 minutes ago, Junglejim said:

I think it does, private photos shouldn't be uploaded in the first place. I'd go as far as saying Emby doesn't need a personal photo library at all with so many other ways to host your photos.

It doesn't relate. This topic is about downloading images from the server, not adding new ones. 

But since you're on the topic, the camera upload feature is off by default, users have to opt-in into it, they have to go through the permission request on the device so that the app can access the photos, and then they have to select what folders from the device they want to upload.  So it is the user's choice, and in the upcoming 4.8 server release, there is a new user permission for it to block the uploads from getting into the server.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...