Jump to content

[Security issue] separate/isolates the list of the devices to by list of users device used instead of whole list of all users device in "Downloads to" option.


CyberPoison

Recommended Posts

CyberPoison

 

Hi everyone.

 

I have found a (Issue and this needs enhanced) because i have a friend who have downloaded a whole TV show to my mobile because both of us have the same Phone name and looks like than emby allow to see everyone devices as connected to emby through the list of downloads to device option let me explain in other words

 

How I supposed to know wish iPhone is mine and the other 2 is my friend, as you can see there are 3 iPhone in the list because the devs don't have isolated it.

 

 4d972fafdc646061781c67e202454001.jpg

 

I'm my moms tv with her accounts same thing (all device is listed)

 

2a4a80c5d6b23bf0adabeb28a83b80d7.jpg

 

As you can see in above picture, I can allow to download my movies to any device from other users, it should have a isolated device list per users

 

Like my computer and my smartphone and etc (My own devices only) ..

But not showing me the device from others like my mom devices, it should be isolated between accounts

(My user can download to my own device)

(My moms can download to her device)

 

 

I really don't understand why the devs don't have isolated the list by user. Like I have described above.

 

Hopefully this will be fixed soon because is a security issue user may not be able to view devices from other users.

 

 

Resume to do. 

Isolation between device account to don't allow users to download by mistake to a device from other users, so by this way the device is isolated by accounts and the retrieved(return or resulted) list was only the device from that user and not from the other.

 

Kind Regards

 

Enjoy? VOTE WITH LIKE NOT WITH +1 COMMENT

 

 

Sent from my VOG-L29 using Tapatalk

 

 

Screenshot_20200618_180946_com.mb.android.jpg

Edited by CyberPoison
  • Like 1
Link to comment
Share on other sites

You already have the power to restrict this via user device access, although granted I wouldn't recommend it.

We will rework this in future updates so that we can provide options to only show devices that they have used.

  • Like 1
Link to comment
Share on other sites

  • 6 months later...

Hi, this will be revamped in Emby Server 4.6. It will follow the user's remote control permissions. If they don't have permission to control other user's devices, then they won't be able to download to them either. Thanks for the feedback.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...