Boxee SMB Security Hole
After doing some research on how the Boxee remote system worked i found some urls for doing basic control/info retrieval from the older desktop software/ current software on Boxee box. One of which was now playing status. After messing with some of the others I went back to the now playing url and noticed something that didn’t seem right.
Boxee doesn’t store the smb (Windows file sharing) authentication in a secure data store and securely retrieve it like is done on modern systems. Instead it sends the username/password as part of EVERY request for media shared from a windows computer. That means every request for media sent out is done in this format *“smb://<username>:<password>/path/to/media/file.<extension>”. Which is not a secure method especially since app developers can do remote apps that interact with the software even to the extent of requesting currently playing media.
While this isn’t a major issue on a single user network the issue really comes to focus on a muli-user shared network. Without a fix in the core of the Boxee software all you can do is setup your share security so a Boxee only user is exposed. For example make new user that is just for Boxee media shares or just setup your media shares to allow anyone to read but need authenticated user to write that way either a non important user is exposed or it can access the media without needing login.