User 'Cameras' with no password: do you have one?

[technet]

Since the first post.

 

[fenderman]

Since the first post.

I understand that was your issue, however, no one else reported the issue until bp did, so I want to clarify whether he user name was being created on its own.

 

[technet]

Not my issue, I don't automatically create credentials with blank passwords on a security application. This is a Blue Iris issue, and I've received an email from Ken stating that he found a bug which causes this when running as a service. An update is coming.

 

[fenderman]

Not my issue, I don't automatically create credentials with blank passwords on a security application. This is a Blue Iris issue, and I've received an email from Ken stating that he found a bug which causes this when running as a service. An update is coming.

I did not mean that its an issue with you...i meant that its an issue with your particular systems...it did not occur several of mine that i tested.

 

[bp2008]

I certainly did not create the "cameras" account myself. Yet there it is when I open BI and look in the user list.

 

[anijet]

So, is this only an issue when running as a service. I run the application and do not seem to have the problem.

 

[The_Penguin]

:nuts:

I just tried connecting to my "supposedly secure" Blue Iris remotely, using "cameras" as a user name with no password, and indeed it let me in.

I confirm this is real.

I am on 4.1.7, Windows 10 x64.

Holy crap, just logged in to my web interface from outside as Admin, no password and Cameras, no password.
Going to put strong passwords on them and disable, and test daily to make sure they stay disabled.

 

[fenderman]

So, is this only an issue when running as a service. I run the application and do not seem to have the problem.

That would explain why I have not seen it..

Sent via Taptalk

 

[bp2008]

Holy crap, just logged in to my web interface from outside as Admin, no password and Cameras, no password.
Going to put strong passwords on them and disable, and test daily to make sure they stay disabled.

I could not get in with "admin" but I could with "cameras". There is an admin user with LAN only unchecked, but maybe it has a password assigned? I'll have to investigate that more later.

 

[bp2008]

Earlier this year I noticed a different quirk in Blue Iris' security, where sessions get associated with the remote IP address they are coming from. In other words, if you were to log in to your Blue Iris web server from work using a work PC (or your phone on WiFi), then you would be inadvertently giving access to everyone else who uses the same public IP address. In many small businesses, that would be everyone in the office. All they would need to know is your server address and port number. They could connect to your server and Blue Iris wouldn't even make them authenticate. It would automatically share your session cookie with them. If you were logged in as an administrator, they would be too. It is fixed in recent versions of Blue Iris 4.x, but older 4.x and 3.x releases are vulnerable to this.

 

[MartyO]

What worries me is these added users (admin and cameras) which were pushed on us, they were enabled by default. At least Ken could have made then not enabled as he introduce the features he is planning.

 

[MartyO]

Thanks again to TechNet for posting probable the most important thread to date to this forum on BI.

 

[fenderman]

What worries me is these added users (admin and cameras) which were pushed on us, they were enabled by default. At least Ken could have made then not enabled as he introduce the features he is planning.

Nothing was pushed on anyone...the update is voluntary...that is why its important not to auto install updates and wait a bit before updating. This is true for any software, not only BI. Its really simply common sense. The "cameras" user name was a bug that was only present for those running as a service. That is why most of us have not seen it.

 

[MartyO]

Nothing was pushed on anyone...the update is voluntary...that is why its important not to auto install updates and wait a bit before updating. This is true for any software, not only BI. Its really simply common sense. The "cameras" user name was a bug that was only present for those running as a service. That is why most of us have not seen it.

Camera was a bug, mmm, Fenderman you should be a comedian. Lets call it what it is, a major security flaw. Was cameras described in the release note of update , answer NO. so it was pushed on us. I'd suggest code for users be kept simple and tight.

I don't auto update and we all probably use BI voluntarily. You say " Most of us" chuckle chuckle you crack me up.

 

[fenderman]

Camera was a bug, mmm, Fenderman you should be a comedian. Lets call it what it is, a major security flaw. Was cameras described in the release note of update , answer NO. so it was pushed on us. I'd suggest code for users be kept simple and tight.

I don't auto update and we all probably use BI voluntarily. You say " Most of us" chuckle chuckle you crack me up.

Again if you waited before applying every new update immediately this would not be an issue. It was a minor bug only affecting users who use blue as as service... It is very unlikely that anyone's system was compromised... The attacker would not only need your ip address, but also know if this specific flaw in blue iris, which is unlikely... If you feel blue iris does not provide the level of security you need, take a look at the competition... Let's not blow it out of proportion... If you are paranoid want to avoid security issues issues with remote access, take 5 minuets and setup a vpn. Problem solved. There is lots of hysteria and paranoia over nothing. If I were you, I would be MUCH more concerned about you port forwarded foscams which are a serious security threat.

Not sure what your issue with "most of us" js, most users do not run as a service.
Sent via Taptalk

 

[MartyO]

On this issue Fendermn, Your opinion is a joke " minor bug" . Move on.

 

[fenderman]

On this issue Fendermn, Your opinion is a joke " minor bug" . Move on.

We can agree to disagree... If you think your hikvision nvr is going to be more secure you have another thing coming... Setup a vpn if you intend to use it...

Sent via Taptalk

 

[bp2008]

Lets be fair, as security flaws go, this is a pretty major one. As long as Ken fixes it in a timely manner, the impact of this bug will be minimal or non-existent.

 

[digger11]

I just wanted to mention that yesterday I was doing some maintenance on one of my BI servers, and had gone in to look to see if there was a "cameras" user account. After confirming that there was no such user, I did go ahead and upgrade to 4.1.7.0 from 4.1.5.x. After the upgrade I went back into users and I found that both admin and cameras have been added as users. I am running BI as a service.

 

[fenderman]

Lets be fair, as security flaws go, this is a pretty major one. As long as Ken fixes it in a timely manner, the impact of this bug will be minimal or non-existent.

Exactly my point... Minimal impact for the reasons stated... Vulnerabilities need to be looked at in the proper context... The panic over this makes it appear much worse than it is...
There is already a new update available...
I don't think there is any software company I am aware of the updates vulnerabilities this quickly.. Let alone NVRs where firmware updates come rarely...

Sent via Taptalk