adrianwi 279 Posted December 17, 2025 Posted December 17, 2025 Why isn't security being prioritised over features? 2
Tigga5 39 Posted December 17, 2025 Posted December 17, 2025 3 hours ago, adrianwi said: Why isn't security being prioritised over features? I would say Emby subscribes to the concept of "security through obscurity", but even that would still require some actual obscurity. Maybe they're just waiting for another mass exploit so they can write another blog post about taking down a massive botnet, framing themselves as heroes, while leaving out the part about how their poor security practices are what enabled it in the first place. 1 1 3
Guest Posted December 17, 2025 Posted December 17, 2025 2 hours ago, Tigga5 said: Maybe they're just waiting for another mass exploit so they can write another blog post about taking down a massive botnet, framing themselves as heroes, while leaving out the part about how their poor security practices are what enabled it in the first place. Anyone else find it strange emby claims they have no ability to see our media yet they were able to disable remote connections on everyone's server that day? I don't remember any discussion about this. But hey we all have the ability to read ebooks on your living room TV so the devs are crushing it right now!!!
rbjtech 5283 Posted December 17, 2025 Posted December 17, 2025 16 minutes ago, embaaa said: Anyone else find it strange emby claims they have no ability to see our media yet they were able to disable remote connections on everyone's server that day? I don't remember any discussion about this. To be fair - there is a whitepaper that was published post the incident detailing how they did this via the auto-update on the Plugin side of things - relying 100% on user activation. They did not remotely have the ability to change anything. It's all here via the blog - 1 3 1
Guest Posted December 17, 2025 Posted December 17, 2025 Thanks rbjtech this pdf was interesting read. Emby cares about privacy, and as such there’s no telemetry in place, no user datamining is performed, and there’s no correlation of data records aiming to make users identifiable beyond of the required minimum for providing and validating Emby Premiere services according to the Emby Premiere Terms of Service [17]. In an emergency situation like this, it can happen that it is needed to weigh out one good against another and we can only assume what the majority of users would prefer (being hacked or vulnerable to be hacked without knowing or us taking action). In this case - for taking action - it was crucial to get reliable data and information for proper assessment. We don't know details about our users’ servers and we don't have any way to access them. But in this case, we had to find a way to get information from those servers in some way in order to assess the situation and possibly take appropriate actions.
ellisd4 73 Posted December 17, 2025 Posted December 17, 2025 21 minutes ago, rbjtech said: To be fair - there is a whitepaper that was published post the incident detailing how they did this via the auto-update on the Plugin side of things - relying 100% on user activation. They did not remotely have the ability to change anything. It's all here via the blog - Agreed, and I'm actually glad they were able to do this in that case. I was affected and had a lot of effects of the compromise. I am surprised they aren't doing that with the latest CVE, but not quite as large. Anyways... we've gotten off topic slightly... The devs should be making this a priority... I am disappointed to see new features rolling out while a security vulnerability still exists. I've been able to block this exploit using nginx rules, but would still like to see a fix in place AND a better security stance from Emby all together. This whole, "let's just wait until there's an exploit thing, even though the users are reporting it for years" thing is really not the stance a software company should be taking if they want to stick around for long.
adrianwi 279 Posted January 8 Posted January 8 Surely this is in 4.9.3.0, as none of the items in the release notes are more important than a security issue?
Luke 42077 Posted January 8 Posted January 8 12 minutes ago, adrianwi said: Surely this is in 4.9.3.0, as none of the items in the release notes are more important than a security issue? Hi, that is a stable release. This development will be going into the beta channel first. Thanks. 2
adrianwi 279 Posted February 3 Posted February 3 I can't tell from the release notes if this is in 4.10.0.2? Please tell me security is more important than being able to edit the home page? 1 1
pwhodges 2012 Posted February 3 Posted February 3 This is a matter of privacy rather than security - your whole machine isn't compromised by an image being downloadable. Sure, it matters - but it's not always the most important thing. Also, I believe that there is more than one Emby developer, so the fact that one person may be actively working on the images issue doesn't mean that the work of another cannot be presented in a beta. Paul 3 1
ellisd4 73 Posted February 3 Posted February 3 20 minutes ago, pwhodges said: This is a matter of privacy rather than security - your whole machine isn't compromised by an image being downloadable. Sure, it matters - but it's not always the most important thing. Also, I believe that there is more than one Emby developer, so the fact that one person may be actively working on the images issue doesn't mean that the work of another cannot be presented in a beta. Paul I guess you can’t call it a security vulnerability because it’s an open door and there is no security around it. There’s no authentication around this so there’s technically no breach that is actually occurring. While your point maybe valid depending on how you look at it, Emby pushes the app photo sync feature as a premier feature meaning they are encouraging its use (while giving the idea authentication exists around the access within the app) while leaving a backdoor open to get those photos. Think of it this way… I can control the access of an authenticated user to see the photos that have been uploaded. However, anyone that can access the URL of the server can get them unauthenticated if they just try hard enough. Insert bot here. Most companies would call this a security flaw. I also don’t think that the users in this thread are frustrated that the issue is occurring (although it was reported years ago). It’s that we were promised a fix several beta versions ago and it still hasn’t been resolved. New features (non-premier) have been added. 2
cptlores 40 Posted February 12 Posted February 12 In this day and age, having control of your privacy is VERY much a security thing.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now