Blue iris massive security flaw!!!! All your recordings are visible to all users

E

erkme73

BIT Beta Team
Nov 9, 2014
1,568
1,484
http://ip-address-of-BI-server:port/clips/

This will reveal EVERY SINGLE CAMERA RECORDING - even clips that are not in the group the logged in user has access to. There is NO way to stop this.

If you turn off "allows directory listing" ANY user that is logged in can still view ANY file so long as they know the name of the file.

This is HUGE.

All of my camera recordings are visible to any user - even if their permissions are set to only ONE camera.
 
  • Like
Reactions: bp2008
@erkme73 thanks for the heads up.
Did you notify Ken?
Just to clarify for others, this is only a concern if you have set up camera groups and users to prevent some users from accessing certain cameras...this will not allow random folks to view your feed.
 
Last edited by a moderator:
Of course. I notified Ken immediately.

And yes, the user must be logged in as approved user. But, if you have family or anyone else as a user, and they're segregated with groups so they can see only public (i.e. outside) cameras, but you have indoor (i.e. bedroom) cameras, they can see everything.

In other words, you have to assume ANY user you give access to, even if it's just one specific camera, will have access to all of them via recordings.

This is a huge flaw and undermines the user functions.
 
Yes, and it isn't my intention to make Ken look bad. Rather, I want to make sure that anyone else in my situation is immediately made aware of the possibility that their users have access to their most private camera recordings. I don't know how long it will take Ken to address and fix this - let alone respond to my urgent request for help. But however long it is, it's too long to let others be exposed like this.

My wife is actively breastfeeding our newborn, and has complete confidence in my technical ability to lock down the cameras in the nursery and bedroom. Yet, today, I get a call from my brother, who has access only to my outdoor cameras and the camera directly above the crib (but nothing private) - who tells me he can view EVERY ONE of my recordings for the last 6 months. I'm afraid to tell my wife. Yes, it's my brother, and I trust him. But, I have about 30 people who use my "non-private" user login - that provides access to the crib camera and other public cameras.

Fortunately none of them are technically savvy, but still...
 
I don't see anything when I do that.

What about setting Windows Security permissions on the clips folder? You should be able to change them on the clips folder to only allow the BI service to access the folder. For example, you could create a BI_Admin user and assign it as the service account for the BI Service and then assign it as the only user to have full read/write permissions to the clips folder. That way Bi could still do it's thing, but even signed in users couldn't access it? Might or might not work. I can't duplicate the access to the clips folder by going to my website:port/clips folder, it's just blank.
 
I get a full clip listing when I look there. Good find, erkme, and I hope Ken updates BI 3.x with the fix as well since I am sure a lot of folks like myself have some installs that will likely never move on to version 4.

For those of you who do not see it, make sure you are including the trailing '/'.

i.e.
http://localhost/clips/
Click to expand...

Overcon said:
What about setting Windows Security permissions on the clips folder? You should be able to change them on the clips folder to only allow the BI service to access the folder.
Click to expand...

This would not change anything -- it is the BI service that accesses the folder and owns the web server.
 
bp2008 said:
This would not change anything -- it is the BI service that accesses the folder and owns the web server.
Click to expand...

bp2008 is correct, BI uses the same binary to serve the web as it does the main program (all in one - either one, service or stand alone). Had BI used a seperate binary for the web service it would have been possible. As it is now (since the web folders are virtual folders provided by BI) it is up to Ken to fix it.
 
FYI you can also access stored clips, via /stored/ so there is no telling how many other things are not being properly locked down.

I was completely unaware you could access clips this way in the first place. Some of Blue Iris' remote capabilities, like this one, are undocumented. This has implications for new features on my ui2 page! i.e I could let a user download the source of a clip right there from the UI, and maybe even have the browser play the clip using html5 streaming, if the clip is h264 in an mp4 container. That would beat the heck out of jpeg streaming, but it might not work if BI's web server will not respond correctly to byte range requests.
 
One thing that can be done now to mitigate the issue is to obfuscate the folder names in BI. So you would rename the folders in BI to something other than their defaults. So the clips folder becomes $rtY!dfe (or some such thing).
 
Zxel said:
One thing that can be done now to mitigate the issue is to obfuscate the folder names in BI. So you would rename the folders in BI to something other than their defaults. So the clips folder becomes $rtY!dfe (or some such thing).
Click to expand...

The problem with that work-around is if I click on a recorded clip that I SHOULD have access to, just above the replay window is the relative path - including the /clip/*.bvr location. I haven't tried renaming the path to see if it would still display, but suspect it would show the new path.

As for having an empty page even when using the trailing forward slash (/clips/) keep in mind that if you turn off "allow directory listing" under global settings/webserver/advance, it will preclude ANY user seeing the listing. However, if the path and camera name is known (albeit unlikely that a user could figure that out), it's still possible to access all of the clips in the directory.

My brother was kind enough to print a 50-page pdf with the name of every clip in my directory (about 3000 of them). He now has the name of every file. I'd have to move them into an inaccessible directory (thus no longer viewable by me either). Further, I have to now rename every camera so that he (or anyone else who HAD access to the dir) doesn't know what the camera names are.

BTW, I'm running 4.0.21-64. This flaw exists on all known versions.

Neither is a good solution. I'm really hoping Ken is able to find a solution going forward, as well as one that eliminates the need to cover my previous tracks.
 
Last edited by a moderator:
Ken has replied:

Please make sure that on Options/Web server/Advanced you have "Allow directory listing" NOT checked! This is OFF by default.
Click to expand...

Edited to add:

After explaining that I didn't think that was a valid solution given users could still access files if they knew the file structure, his response was as follows:
Agreed ...

Sometimes security through obscurity isn't enough.


Additional check added per-file access for accessible camera groups. Will be in 4.0.0.22.
Click to expand...





 
Last edited by a moderator:
  • Like
Reactions: Zxel
Awesome. I turned the listing off as well so that cleaned that little bit up.
 
I had absolutely no doubt he'd get right on top of it. I felt really bad posting this, but felt that if anyone was exposed, they should know NOW. It's going to take some time to convince my wife to trust the cameras again.
 
You must log in or register to reply here.
Top Bottom