User 'Cameras' with no password: do you have one?

[technet]

Hello everyone,

I've seen that in some Blue Iris installations we can find a user 'cameras' with no password and it has unlimited remote access.

What is that exactly? We've disabled it here, of course.

 

[fenderman]

Hello everyone,

I've seen that in some Blue Iris installations we can find a user 'cameras' with no password and it has unlimited remote access.

What is that exactly? Disabled here, of course.

If you mean admin then see this release note

• Admin console sessions and anonymous-admin remote sessions now have their own automatically created Options/Users account "admin". For security, it will not be possible to login with this account remotely unless you assign it a password (or had a pre-existing admin account with a password). This will aid in the future development of per-user statistics and counters.​

Any other use must have been created by someone.

 

[technet]

not related with this release note.

 

[fenderman]

not related with this release note.

then someone created the account.

 

[technet]

On different systems, at different installations? I don't see how, really. No (other) security issues found on any related computers.

 

[fenderman]

On different systems, at different installations? I don't see how, really. No (other) security issues found on any related computers.

Is anyone besides you managing these installs. I have never seen this on any system.

 

[technet]

no one.

 

[fenderman]

no one.

I would email support and see what he says.

 

[technet]

I did that already.

 

[technet]

Maybe a better approach would be to have a setting on these automatically created users that clearly shows "LAN only". I didn't see that.

If you mean admin then see this release note

• Admin console sessions and anonymous-admin remote sessions now have their own automatically created Options/Users account "admin". For security, it will not be possible to login with this account remotely unless you assign it a password (or had a pre-existing admin account with a password). This will aid in the future development of per-user statistics and counters.​

Any other use must have been created by someone.

 

[technet]

On one setup, user 'cameras' reappeared after being deleted.

Could you guys check on your updated Blue Iris installations if there's a 'cameras' user?

 

[fenderman]

I have looked at 4 installs..none of them have it..what version of blue iris are you running?

 

[technet]

Latest, with automatic updates every night at 03:00AM.

Are you using mobiles to access them?

 

[fenderman]

Latest, with automatic updates every night at 03:00AM.

Are you using mobiles to access them?

yes, the blue iris mobile app

 

[technet]

I think that I was able to reproduce it. After some Android app logins and enabling and disabling audio on cameras, and browser logins, the user appears. It allows remote viewing and listening of every group.

 

[fenderman]

I think that I was able to reproduce it. After some Android app logins and enabling and disabling audio on cameras, and browser logins, the user appears. It allows remote viewing and listening of every group.

that is strange...let us know what support says..

 

[technet]

Sure.

It seems that in the best scenario it could be some source code leftover that was used to help development/debug.

 

[MartyO]

I've seen the same thing with cameras , its the one thing about BI that worries me. I don't use audio.

 

[MartyO]

long ago I made one log on account with admin privleges and that was all I would see under users. Then just recently noticed additional camera and admin users, deleted both, the admin reappears every time with no password. I had to uncheck it, cause removing doesn't work. If this type of shit happens again I'll have to give up BI which I do like. No excuses please about one person,

 

[MartyO]

I just updated to latest 4.1.7, camera is back in my user list, enabled with no password. WTF!!!!