If you have your shinobi web interface exposed to the internet anyone can view and download your videos.
-
Just found this out today with a simple copy and paste. If you right click on where you download a video from and copy link address then paste it into a browser on an unauthenticated machine you can download the video. If you delete the filename and navigate to the closest folder (ie. my.domain.com/path/to/video/files/) then you get a nice list of all the video files associated with that camera.
-
@skluthe Not a good bug, and not a good practice. Dude, don't directly expose a beta to the internet.
"Popped, you are hmmm." -Yoda
-
@ratatine said in If you have your shinobi web interface exposed to the internet anyone can view and download your videos.:
@skluthe Not a good bug, and not a good practice. Dude, don't directly expose a beta to the internet.
"Popped, you are hmmm." -YodaThe purpose of a beta is to test it which is what I'm doing
. Most users aren't going to follow best practice.Just using it to monitor my dog when I'm not home. God forbid an attacker sees my cute puppy
-
use htaccess files for the video storage folders. Require a login unless it is coming from 127.0.0.1