Blue iris massive security flaw!!!! All your recordings are visible to all users

erkme73 · Jan 14, 2015

http://ip-address-of-BI-server:port/clips/

This will reveal EVERY SINGLE CAMERA RECORDING - even clips that are not in the group the logged in user has access to. There is NO way to stop this.

If you turn off "allows directory listing" ANY user that is logged in can still view ANY file so long as they know the name of the file.

This is HUGE.

All of my camera recordings are visible to any user - even if their permissions are set to only ONE camera.

fenderman · Jan 14, 2015

@erkme73 thanks for the heads up.
Did you notify Ken?
Just to clarify for others, this is only a concern if you have set up camera groups and users to prevent some users from accessing certain cameras...this will not allow random folks to view your feed.

erkme73 · Jan 14, 2015

Of course. I notified Ken immediately.

And yes, the user must be logged in as approved user. But, if you have family or anyone else as a user, and they're segregated with groups so they can see only public (i.e. outside) cameras, but you have indoor (i.e. bedroom) cameras, they can see everything.

In other words, you have to assume ANY user you give access to, even if it's just one specific camera, will have access to all of them via recordings.

This is a huge flaw and undermines the user functions.

fenderman · Jan 14, 2015

I agree it is a flaw that needs to be repaired...

erkme73 · Jan 14, 2015

Yes, and it isn't my intention to make Ken look bad. Rather, I want to make sure that anyone else in my situation is immediately made aware of the possibility that their users have access to their most private camera recordings. I don't know how long it will take Ken to address and fix this - let alone respond to my urgent request for help. But however long it is, it's too long to let others be exposed like this.

My wife is actively breastfeeding our newborn, and has complete confidence in my technical ability to lock down the cameras in the nursery and bedroom. Yet, today, I get a call from my brother, who has access only to my outdoor cameras and the camera directly above the crib (but nothing private) - who tells me he can view EVERY ONE of my recordings for the last 6 months. I'm afraid to tell my wife. Yes, it's my brother, and I trust him. But, I have about 30 people who use my "non-private" user login - that provides access to the crib camera and other public cameras.

Fortunately none of them are technically savvy, but still...

Overcon · Jan 14, 2015

I don't see anything when I do that.

What about setting Windows Security permissions on the clips folder? You should be able to change them on the clips folder to only allow the BI service to access the folder. For example, you could create a BI_Admin user and assign it as the service account for the BI Service and then assign it as the only user to have full read/write permissions to the clips folder. That way Bi could still do it's thing, but even signed in users couldn't access it? Might or might not work. I can't duplicate the access to the clips folder by going to my website

ort/clips folder, it's just blank.

Mike · Jan 14, 2015

I am unable to replicate this on BI3 or BI4. /clips/ is just a blank page...logged in as an admin. Regardless, thanks for sharing this with the community.

Zxel · Jan 14, 2015

I can replicate and confirm the error. You will need to know the file name of the clip (i.e http://ip-address-of-BI-server:port/clips/camera.date.time.bvr) unless you are java savy. Using BI4.0.0.21

Overcon · Jan 14, 2015

Zxel said:
I can replicate and confirm the error. You will need to know the file name of the clip (i.e http://ip-address-of-BI-server:port/clips/camera.date.time.bvr) unless you are java savy. Using BI4.0.0.21

Ah, so it's a little more to it then just accessing the folder and seeing all the clips. Has anyone tried to change the permissions on the clips folder?

bp2008 · Jan 14, 2015

I get a full clip listing when I look there. Good find, erkme, and I hope Ken updates BI 3.x with the fix as well since I am sure a lot of folks like myself have some installs that will likely never move on to version 4.

For those of you who do not see it, make sure you are including the trailing '/'.

i.e.

http://localhost/clips/

Overcon said:
What about setting Windows Security permissions on the clips folder? You should be able to change them on the clips folder to only allow the BI service to access the folder.

This would not change anything -- it is the BI service that accesses the folder and owns the web server.

Overcon · Jan 14, 2015

OK, I duplicated it once I knew the full path and file name was required. As bp2008 said, you can get a list if you include the training / after clips.

http://192.168.1.1:1776/clips/FPORCH.20141230_065019.51212.2.jpg

Zxel · Jan 14, 2015

bp2008 said:
This would not change anything -- it is the BI service that accesses the folder and owns the web server.

bp2008 is correct, BI uses the same binary to serve the web as it does the main program (all in one - either one, service or stand alone). Had BI used a seperate binary for the web service it would have been possible. As it is now (since the web folders are virtual folders provided by BI) it is up to Ken to fix it.

bp2008 · Jan 14, 2015

FYI you can also access stored clips, via /stored/ so there is no telling how many other things are not being properly locked down.

I was completely unaware you could access clips this way in the first place. Some of Blue Iris' remote capabilities, like this one, are undocumented. This has implications for new features on my ui2 page! i.e I could let a user download the source of a clip right there from the UI, and maybe even have the browser play the clip using html5 streaming, if the clip is h264 in an mp4 container. That would beat the heck out of jpeg streaming, but it might not work if BI's web server will not respond correctly to byte range requests.

Zxel · Jan 14, 2015

One thing that can be done now to mitigate the issue is to obfuscate the folder names in BI. So you would rename the folders in BI to something other than their defaults. So the clips folder becomes $rtY!dfe (or some such thing).

erkme73 · Jan 14, 2015

Zxel said:
One thing that can be done now to mitigate the issue is to obfuscate the folder names in BI. So you would rename the folders in BI to something other than their defaults. So the clips folder becomes $rtY!dfe (or some such thing).

The problem with that work-around is if I click on a recorded clip that I SHOULD have access to, just above the replay window is the relative path - including the /clip/*.bvr location. I haven't tried renaming the path to see if it would still display, but suspect it would show the new path.

As for having an empty page even when using the trailing forward slash (/clips/) keep in mind that if you turn off "allow directory listing" under global settings/webserver/advance, it will preclude ANY user seeing the listing. However, if the path and camera name is known (albeit unlikely that a user could figure that out), it's still possible to access all of the clips in the directory.

My brother was kind enough to print a 50-page pdf with the name of every clip in my directory (about 3000 of them). He now has the name of every file. I'd have to move them into an inaccessible directory (thus no longer viewable by me either). Further, I have to now rename every camera so that he (or anyone else who HAD access to the dir) doesn't know what the camera names are.

BTW, I'm running 4.0.21-64. This flaw exists on all known versions.

Neither is a good solution. I'm really hoping Ken is able to find a solution going forward, as well as one that eliminates the need to cover my previous tracks.

erkme73 · Jan 14, 2015

Ken has replied:

Please make sure that on Options/Web server/Advanced you have "Allow directory listing" NOT checked! This is OFF by default.

Edited to add:

After explaining that I didn't think that was a valid solution given users could still access files if they knew the file structure, his response was as follows:

Agreed ...

Sometimes security through obscurity isn't enough.

Additional check added per-file access for accessible camera groups. Will be in 4.0.0.22.

Overcon · Jan 14, 2015

Awesome. I turned the listing off as well so that cleaned that little bit up.

Zxel · Jan 15, 2015

As usual Ken is on issues fast. Go Ken!

erkme73 · Jan 15, 2015

I had absolutely no doubt he'd get right on top of it. I felt really bad posting this, but felt that if anyone was exposed, they should know NOW. It's going to take some time to convince my wife to trust the cameras again.

petrho · Jan 15, 2015

My "allow directory listing" was checked (as default)

Search

Blue iris massive security flaw!!!! All your recordings are visible to all users

erkme73

BIT Beta Team

fenderman

erkme73

BIT Beta Team

fenderman

erkme73

BIT Beta Team

Overcon

Getting the hang of it

Mike

Zxel

Getting the hang of it

Overcon

Getting the hang of it

bp2008

Overcon

Getting the hang of it

Zxel

Getting the hang of it

bp2008

Zxel

Getting the hang of it

erkme73

BIT Beta Team

erkme73

BIT Beta Team

Overcon

Getting the hang of it

Zxel

Getting the hang of it

erkme73

BIT Beta Team

petrho

n3wb