Jdiesel 1431 Posted September 15, 2017 Posted September 15, 2017 I noticed today that one of my users logged in under my account from their Roku. The Roku client has only ever been used by that user and my account is password protected with a complex password. In my server I activity I see my user account being logging in on that Roku device and a movie as being watched. Under my user account I now see that movie being marked as being watch. Now I highly doubt that my brother guessed my password and logged into my account to watch the movie Frozen.
ebr 16195 Posted September 15, 2017 Posted September 15, 2017 Do you have the account linked via Connect?
Jdiesel 1431 Posted September 15, 2017 Author Posted September 15, 2017 (edited) I do have the server linked via connect but the other user has never login in via connect, only through a direct connection. All users are local users that connect directly to my domain name. Edited September 15, 2017 by Jdiesel
Jdiesel 1431 Posted September 16, 2017 Author Posted September 16, 2017 This is still occuring when the Roku connects to the server. I went as far as changing my password and unlinking my server from Emby Connect. That one Roku, which I have never used myself is automatically signing in under my admin account.
ebr 16195 Posted September 16, 2017 Posted September 16, 2017 This is still occuring when the Roku connects to the server. I went as far as changing my password and unlinking my server from Emby Connect. That one Roku, which I have never used myself is automatically signing in under my admin account. Once he has signed in, if he left the "Remember login" option on then it will continue to sign in. He would need to sign out or sign in as a different user. Sounds like maybe we need to invalidate all access tokens on a user password change though... 1
Jdiesel 1431 Posted September 16, 2017 Author Posted September 16, 2017 Yes I requested that he sign out and sign back in next time he uses the Roku. The concerning thing is how a device can log into an account automatically that had never been logged in with that user before. I have never even touched the device myself let alone log into my account from it. Seems like a major security flaw that needs to be looked into. On a side note after changing my user password I was kicked out of my Roku or prompted to resign in with my new password. I had to manually sign out before it asked me for me new password.
ebr 16195 Posted September 16, 2017 Posted September 16, 2017 Yes I requested that he sign out and sign back in next time he uses the Roku. The concerning thing is how a device can log into an account automatically that had never been logged in with that user before. I have never even touched the device myself let alone log into my account from it. Seems like a major security flaw that needs to be looked into. On a side note after changing my user password I was kicked out of my Roku or prompted to resign in with my new password. I had to manually sign out before it asked me for me new password. Okay, so that sounds like the security token was properly invalidated when you changed the password. I still think the most likely scenario here is that his Connect account somehow got linked to your user.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now