User 'Cameras' with no password: do you have one?
- Thread starter technet
- Start date
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
I understand that was your issue, however, no one else reported the issue until bp did, so I want to clarify whether he user name was being created on its own.
- Dec 25, 2014
- 135
- 17
Not my issue, I don't automatically create credentials with blank passwords on a security application. This is a Blue Iris issue, and I've received an email from Ken stating that he found a bug which causes this when running as a service. An update is coming.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
I did not mean that its an issue with you...i meant that its an issue with your particular systems...it did not occur several of mine that i tested.
I certainly did not create the "cameras" account myself. Yet there it is when I open BI and look in the user list.
So, is this only an issue when running as a service. I run the application and do not seem to have the problem.
Holy crap, just logged in to my web interface from outside as Admin, no password and Cameras, no password.
Going to put strong passwords on them and disable, and test daily to make sure they stay disabled.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
Holy crap, just logged in to my web interface from outside as Admin, no password and Cameras, no password.
Going to put strong passwords on them and disable, and test daily to make sure they stay disabled.
I could not get in with "admin" but I could with "cameras". There is an admin user with LAN only unchecked, but maybe it has a password assigned? I'll have to investigate that more later.
Earlier this year I noticed a different quirk in Blue Iris' security, where sessions get associated with the remote IP address they are coming from. In other words, if you were to log in to your Blue Iris web server from work using a work PC (or your phone on WiFi), then you would be inadvertently giving access to everyone else who uses the same public IP address. In many small businesses, that would be everyone in the office. All they would need to know is your server address and port number. They could connect to your server and Blue Iris wouldn't even make them authenticate. It would automatically share your session cookie with them. If you were logged in as an administrator, they would be too. It is fixed in recent versions of Blue Iris 4.x, but older 4.x and 3.x releases are vulnerable to this.
What worries me is these added users (admin and cameras) which were pushed on us, they were enabled by default. At least Ken could have made then not enabled as he introduce the features he is planning.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
Nothing was pushed on anyone...the update is voluntary...that is why its important not to auto install updates and wait a bit before updating. This is true for any software, not only BI. Its really simply common sense. The "cameras" user name was a bug that was only present for those running as a service. That is why most of us have not seen it.
Camera was a bug, mmm, Fenderman you should be a comedian. Lets call it what it is, a major security flaw. Was cameras described in the release note of update , answer NO. so it was pushed on us. I'd suggest code for users be kept simple and tight.
I don't auto update and we all probably use BI voluntarily. You say " Most of us" chuckle chuckle you crack me up.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
Again if you waited before applying every new update immediately this would not be an issue. It was a minor bug only affecting users who use blue as as service... It is very unlikely that anyone's system was compromised... The attacker would not only need your ip address, but also know if this specific flaw in blue iris, which is unlikely... If you feel blue iris does not provide the level of security you need, take a look at the competition... Let's not blow it out of proportion... If you are paranoid want to avoid security issues issues with remote access, take 5 minuets and setup a vpn. Problem solved. There is lots of hysteria and paranoia over nothing. If I were you, I would be MUCH more concerned about you port forwarded foscams which are a serious security threat.
Not sure what your issue with "most of us" js, most users do not run as a service.
Sent via Taptalk
Last edited by a moderator:
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
We can agree to disagree... If you think your hikvision nvr is going to be more secure you have another thing coming... Setup a vpn if you intend to use it...
Sent via Taptalk
Lets be fair, as security flaws go, this is a pretty major one. As long as Ken fixes it in a timely manner, the impact of this bug will be minimal or non-existent.
I just wanted to mention that yesterday I was doing some maintenance on one of my BI servers, and had gone in to look to see if there was a "cameras" user account. After confirming that there was no such user, I did go ahead and upgrade to 4.1.7.0 from 4.1.5.x. After the upgrade I went back into users and I found that both admin and cameras have been added as users. I am running BI as a service.
fenderman
Staff member
- Mar 9, 2014
- 36,892
- 21,408
Exactly my point... Minimal impact for the reasons stated... Vulnerabilities need to be looked at in the proper context... The panic over this makes it appear much worse than it is...
There is already a new update available...
I don't think there is any software company I am aware of the updates vulnerabilities this quickly.. Let alone NVRs where firmware updates come rarely...
Sent via Taptalk