Unauthenticated access to images by itemid

November 9, 2024

23 hours ago, rbjtech said:

Probably not advisable, unless it's an API purely for the images - you wouldn't want to post an API with admin as part of the URL for obvious reasons ...

Why wouldn't the same authentication technique we use for all other requests work?

November 9, 2024

2 hours ago, ebr said:

Why wouldn't the same authentication technique we use for all other requests work?

My bad - I'm getting confused with the system API. Your referring to the client request API right (ie unique to that client) ?

November 9, 2024

3 hours ago, rbjtech said:

Your referring to the client request API

Yup

November 17, 2024

On 11/4/2024 at 6:37 PM, Carlo said:

No, you would be surprised by the number of people running reverse proxies. A lot of people use CDNs as well but most use Cloudflare. Some people are behind a CG-NAT with a way for people to get to their media server so instead of using a relay or VPC or VPN they get a domain name, change the authorized DNS servers to point to Cloudflares. Then using a Cloudflare Zero Trust tunnel they get the benefit of people hitting the Cloudflare CDN directly which solves the CG-NAT problem. The also don't need to open any point so nothings gets into the network except Cloudflare through the tunnel. No one on the internet knows your IP address as they only see the CDN IP address. They get all the caching, special CDN features, optimized delivery (images are fast), etc as well as get protection against DOS attacks, bot attacks or scans since the CDN blocks that none-sense.

Most due that on a free Cloudflare account as well! We make a change in the Cloudflare dashboard using a rule to specify not to cache anything starting with a couple of specific URLs. Theses are the URLs used by Emby for music and video media. This is to stop them from caching the media content and copying it to different regions or to edge servers. We try not to abuse their service. A portion of people using Cloudflare also use a reverse proxy as well to direct traffic to other services they have.

The caching does make a big difference, I just want to make sure that a patch/solution for the issue doesn't break caching as it doesn't need to.

Thanks for the confirmation. I really shouldn't have needed it in the first place if I'm being honest. Seeing this attitude from Emby though is the confirmation I needed to ensure that there's no way in hell that my Emby server will ever be, in any way, accessible through a public URL again.

Fool me once, shame on you. Fool me twice,....

May 22, 2025

On 11/9/2024 at 3:24 PM, ebr said:

Hello Ebr,

As a recent monthly subscriber of emby and previous subscriber of plex, one the use cases for the media server was for family home videos. I was not aware of this issue prior to subscribing, and honestly speaking it is quite concerning. I was able to easily produce this and access images based off of the content in my library without authentication.

Is there any update you can provide on this security concern and a time line as to when it will be solved? Part of my main reason from switching over to emby from plex is it seems there is a good balance between funcitonility and privacy. However, being able to simply extract images publicly and easily eliminates emby as a real alternative to plex.

I really enjoy emby and appreciate all the work that goes into the application. However, a security flaw(or design) of this magntifude is would be a deal breaker for me becoming a long term subscriber of emby.

May 22, 2025

12 hours ago, Abul3ees said:

Hello Ebr,

As a recent monthly subscriber of emby and previous subscriber of plex, one the use cases for the media server was for family home videos. I was not aware of this issue prior to subscribing, and honestly speaking it is quite concerning. I was able to easily produce this and access images based off of the content in my library without authentication.

Is there any update you can provide on this security concern and a time line as to when it will be solved? Part of my main reason from switching over to emby from plex is it seems there is a good balance between funcitonility and privacy. However, being able to simply extract images publicly and easily eliminates emby as a real alternative to plex.

I really enjoy emby and appreciate all the work that goes into the application. However, a security flaw(or design) of this magntifude is would be a deal breaker for me becoming a long term subscriber of emby.

I would like to say I'm in the exact same situation. I even run Emby and Plex side by side and I prefer Emby way over Plex. But this situation just stop me to buy any subscription. Plex is not perfect, but I'll wait before doing the switch.

May 23, 2025

Also hoping for some kind of update on this as well. I'm still not comfortable exposing my emby instance with family photos/videos until something is changed for at least those library types.

May 28, 2025

I just wanted to bump this and follow up on it again. This is the only thing keeping me from extending my subscription. Can anybody from the dev team provide an update on this?

June 9, 2025

On 11/9/2024 at 3:24 PM, ebr said:

Yup

@@ebr @Luke Good day, just wanted to follow-up on this again for the third time. I am coming up on the end of my month subscription to emby and this is the only issue that I have found with emby compared to plex. Response on this forum is usually very fast and I would hate to think that an issue of this magnitude is being intentionally ignored by the emby team. Any light you can shed on the current status, as well as the work towards a more private and secure solution would be much appreciated. Thanks in advance!

June 9, 2025

@Abul3eesI already reported about this issue in 2020. So 5 years ago! I think that's all you need to know to get your answer.

June 9, 2025

Maybe some official reporting of the issue external to this forum may raise it's priority .. (cve) ..

June 11, 2025

I think at the minimum they should provide an update given the fact that camera uploads are a feature that is still actively promoted. People can unknowingly and unwillingy be giving potential access to the entire interwebs for things they are being led to believe to be "private". The fact that it is a selling point promoting they collect "limited" data, but then on the other hand allow easy unauthenticated access to images on everyone's server is puzzling and concerning.

While ignoring the issue is somewhat of a response on the issue in of itself, I still think that am issue is this magnitude should be top of the list of priorities. If the emby team cares about their product and their end users, a response as well as an action plan to address this issue is warranted.

June 11, 2025

Ok I know this WILL not be well receiver.

If you do not trust a feature . Do not use it.

If no response from Emby, I would disable the feature for my users. ( Its my server, I do not let my user upload anything ) ( IT'S Stupid and dangerous ).

There are other selfhosted programs out there.

Try immich-app/immich: High performance self-hosted photo and video management solution.

June 11, 2025

The problem with Unauthorized access to content via Direct Link is the old "Scourge" of this program. We use it inside the Corporation for Publishing Content between Producers and Editors.
Each User has their own access and their own folder.
They are authorized and should receive only private Content according to their Security settings.
But people are different, someone shares Direct Links in Chat to content. People take this Link and although this Content should not be available to a person - EMBY is "Ignored".
They simply do not pass the Content access checks.
That is, you need to understand that a person does not have access to the Folder (and therefore to the files contained there too).
And access to the File via Direct Link - Please "Open".
Why configure security at all then?
Okay, we wrote a bunch of scripts and have event analytics.
But this is not available to ordinary users of the system.
I have a script that simply Kicks the User if the Content is not from his folder. And it works. But it's just a "Crutch".
It's not a solution to the problem.

June 11, 2025

It's a valid point and I personally utilize a dedicated application for photos and videos. I do create a family home videos library giving access to other family members so they can watch certain milestone events and other things for the kids.

Regardless, this issue allows anyone with ease to extract details on the library contents of any emby server. This is the concern.

For the record I am a massive fan of emby and of the emby team. I believe it is a superior to both plex and jellyfin in most ways. I just am hesitant due to the concerns that I have brought up.

June 11, 2025

12 minutes ago, Santrex said:

We use it inside the Corporation for Publishing Content between Producers and Editors.

Well that's dumb to use a Private Media server, since its Not Enterprise Grade software

June 11, 2025

4 minutes ago, Neminem said:

Well that's dumb to use a Private Media server, since its Not Enterprise Grade software

Yes, but here is a question about content security settings.
In fact, it exists. But in reality, it is "crap".
So what difference does it make. If security is at risk? And you are counting on it.
A private gallery of "Stars" (if, for example, someone uses EMBY) stolen by hackers is much more serious than the problem of a leaked video with a "Coca-Cola advertisement".
But in all cases, this is "Unauthorized access" to content by 3rd parties.

June 11, 2025

Emby separates the concepts.
Authorization and Security.
Authorization is the ability to Login to the Server.
Security is access to Specifically assigned content (Media/Photo/Audio). As a rule, at the Folder/Directory Level.
And access is always granted to the folder. BUT Direct Links ruin everything. The question is that they must be there!
BUT who will conduct the check? Emby does not do this.
But it must be conducted FOR Each Element (Folder/File), to compare it with reality.
As an Administrator (Owner), I am obliged to monitor compliance with this.
Otherwise, what is the point?

June 11, 2025

5 minutes ago, Santrex said:

And you are counting on it.

Nope I do not trust Emby with my private ( Nudes of wife pictures or videos ) Especially when online.

Emby should not have access to anything you Do Not want online...

I would not Trust anything with WAN access with that info.....

Its dumb and stupid...

June 11, 2025

2 minutes ago, Santrex said:

As an Administrator (Owner), I am obliged to monitor compliance with this.

Yes do Not use it, its an issue, but do not use it till it's fixed.

It's up to as a Admin ( Owner ) to close down features that is not secure.

Again THIS IS not Enterprise Software, It's for your Home use.

And you need to jump through hoppes to get it online.

Not hard, but hard enough that the common joe, don't get it.

June 11, 2025

2 minutes ago, Neminem said:

Yes do Not use it, its an issue, but do not use it till it's fixed.

It's up to as a Admin ( Owner ) to close down features that is not secure.

Again THIS IS not Enterprise Software, It's for your Home use.

And you need to jump through hoppes to get it online.

Not hard, but hard enough that the common joe, don't get it.

Well, here we are trying to Call on the developers, to clarify. And to get fixes in the next releases.
So far from the answers it is clear that none of the developers admit that these are problems.
Since this is not recognized as a "problem", no one will make a fix.

June 11, 2025

11 minutes ago, Neminem said:

Nope I do not trust Emby with my private ( Nudes of wife pictures or videos ) Especially when online.

Emby should not have access to anything you Do Not want online...

I would not Trust anything with WAN access with that info.....

Its dumb and stupid...

If you knew how people behave... they don't even know it until it happens to them.

June 11, 2025

3 minutes ago, Santrex said:

If you knew how people behave... they don't even know it until it happens to them.

True and they should not Selfhost.

Well this might wake them.

June 11, 2025

Not trying to protect Emby here, but always assume that everything you put on the internet is insecure and has more holes than a cheese.
Never ever put anything on an internet connected device you do not want any one to see, have or control!

With that said, if there are glaring security problems in Emby they should IMO ofc. have priority for a fix.
Remember though that It is a private media server server not a data vault.

Edited June 11, 2025 by yocker

June 11, 2025

15 minutes ago, Neminem said:

Yes do Not use it, its an issue, but do not use it till it's fixed.

It's up to as a Admin ( Owner ) to close down features that is not secure.

Again THIS IS not Enterprise Software, It's for your Home use.

And you need to jump through hoppes to get it online.

Not hard, but hard enough that the common joe, don't get it.

I think you are overlooking the point that is being made here. This is a major issue that effects everyone, but is more concerning for publicly hosted servers. We are just attempting to get some answers and fixes for this issue with the emby team. This is meant to be more constructive discussion rather than destructive.

Sign In

Unauthenticated access to images by itemid

Recommended Posts

ebr 16169

rbjtech 5284

ebr 16169

Tigga5 39

Abul3ees 4

Grimgrim 0

Clackdor 109

Abul3ees 4

Abul3ees 4

pünktchen 1409

rbjtech 5284

Abul3ees 4

Neminem 1518

Santrex 7

Abul3ees 4

Neminem 1518

Santrex 7

Santrex 7

Neminem 1518

Neminem 1518

Santrex 7

Santrex 7

Neminem 1518

yocker 1247

Abul3ees 4

Create an account or sign in to comment

Create an account

Sign in

Activity