jant90 15 Posted October 19, 2018 Posted October 19, 2018 I stumbled upon this issue because Kodi users without any permissions (all downloading and playback permissions are disabled) can still play media just fine through the official Kodi for Emby addon. Upon further investigation I found out that stream urls are not protected at all, in any way. Anyone with the base url can download/stream the media without any form of authentication or providing an API key. This is at least the case for "direct stream urls", urls that provide the video file without any transcoding, in those cases the base of the stream url (without query string) looks a little something like this: https://domain.tld:8920/emby/Videos/<mediaID>/stream.mkv As Kodi also is using that url for streaming media it makes sense that Kodi still plays the content even when that user has no playback permissions. I believe this is essentially a security leak, plus permissions for Kodi users are essentially useless because of this. In contrast, it looks like the downloading permission is properly managed on the server side of Emby because after disabling that permission Emby throws a "401 Unauthorized" error and the user is greeted with the message "User does not have download access.". Also when trying to download a file an API key is required in the url, when omitted Emby throws a "401 Unauthorized" error again and the message "Access token is required.". Download url format: https://domain.tld:8920/emby/Items/<mediaID>/Download?api_key=<API_KEY> I hope this description was elaborate enough, if not just ask . Thanks!
jant90 15 Posted October 23, 2018 Author Posted October 23, 2018 I'm a bit surprised tbh, is there nobody that cares about this?
Luke 42080 Posted October 23, 2018 Posted October 23, 2018 It's something we plan to address in a future update. Thanks. 1
jant90 15 Posted October 24, 2018 Author Posted October 24, 2018 It's something we plan to address in a future update. Thanks. Thanks for the feedback .
hobesman 18 Posted February 29, 2020 Posted February 29, 2020 For anyone stumbling across this thread: it has not been resolved. The direct stream URL can be accessed from anywhere without authentication. If someone has your base server URL, they can simply add "/emby/videos/{randomNumber}/stream.mkv" and can start downloading your media library. With automated downloading they could start downloading your entire library without ever having a username or password for your server. THIS SHOULD NOT BE!!! This is not a bug you sit on for years. This should be a high priority security issue! Am I missing something?
Luke 42080 Posted February 29, 2020 Posted February 29, 2020 Hi, that's only true inside your local network. If you're outside your network the request will be rejected.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now