Latest post Wed, Jun 22 2022 5:23 AM by DevinPomsilina. 4 replies.
Page 1 of 1 (5 items)
Sort Posts: Previous Next
  • Wed, May 25 2022 1:09 AM

    • binba
    • Not Ranked
    • Joined on Mon, Jan 15 2007
    • Posts 68
    • Points 920

    Avid Link security vulnerability for facilities

    If you're running a facility where you rent Avid bays, and activate them with Avid Link by signing to your account -- you better remember to sign out of it. Or better yet, never sign into it in the first place. If you leave it signed-in, any freelancer, anybody using the system, immediately has full access to your Avid Master account. ----------------------------------------------------------------------------------------------------------------------------- They can: - See all your licenses, Media Composer and otherwise
    - Modify auto-renewal, terminate subscriptions
    - View your purchase history
    - Access all your Avid support cases ever
    - Respond or open new support cases impersonating as you, asking Avid to reset activations, or really anything Avid Support could to for/to your systems.
    - See your personal/business account data, including partial credit card info
    And more... ----------------------------------------------------------------------------------------------------------------------------- Steps to reproduce: On a system with Avid Link signed into your account: 1. In your web browser, go to your my.avid.com
    2. Sign out
    3. In Avid Link toolbar menu, click "Go to MyAvid".  4. Voila! You're signed back in.
    ----------------------------------------------------------------------------------------------------------------------------- I confirmed this behavior is still in the latest 2022.4 version. Tested on macOS+Chrome. ----------------------------------------------------------------------------------------------------------------------------- What personally upsets me is how balatant & easy this vulnerability is, and how Avid hasn't bothered to fix it in the 6 months since I reported it. (Their answer was, "just sign out".) In their opinion it's a "feature request". All they need to do is to delete the piece of code that transfers authentication from Link into your web browser. At our facility, we banned logging in in Link months ago, because of this. It's not worth the risk and we don't need clients or freelancers snooping around in our Avid account. We always plug in the sys ID and activation code manually. A quarter of monthly subscriptions break every month and need a shakeup, but it's still safer.  ----------------------------------------------------------------------------------------------------------------------------- PS Do the forums always murder any line breaks in posts?
  • Wed, May 25 2022 5:58 AM In reply to

    Re: Avid Link security vulnerability for facilities

    Hi

    I would just like to confirm the above is true. The auto logon feature should also be introduced, default it should be off with the option to enable it. Like Nexis client. Avid link could also do with user access rights, an administrator which can view the whole account and single user which can only activate-deactivate a specific machine. 

    Adobe has the teams feature which sort of does this, but I'm no Adobe licensing expert and have only looked at it and set it up once. 

     

    From the old Apple Quadro 950 to HP Z8xx. My current own systems: 1x Z420 E5 1650 32GB memory quadro K2200, 1x XW8600, 2x 3.0Ghz Quadcore, 24GB memory... [view my complete system specs]

    Jeroen van Eekeres 

    Technical director, Broadcast support engineer, Avid ACSR.

     

    Always have a backup of your projects....Always!!!! Yes Always!!!!

    A.V.I.D....... Another Version In Development

    www.mediaoffline.com

     

     

     

  • Wed, May 25 2022 4:16 PM In reply to

    • ck123
    • Top 500 Contributor
    • Joined on Wed, Jul 17 2013
    • PA
    • Posts 213
    • Points 2,685

    Re: Avid Link security vulnerability for facilities

    Have you turned OFF Admin functions in Avid Link?

    Admin Functions: Administrators can use this option to limit the features of Avid Link, such as
    software installations and Activations. You must be logged into a local administrator account in
    order to set/change admin functions in Avid Link.

    Additionally, according to the Avid Link guide (not tested myself), Any users added to a local or network user group called "Avid Link Restricted Users" will not have the ability to download or install
    software and will not be able to modify Activations in any way. When a user added to that group opens Avid Link they should see the text [restricted] in the Avid Link title bar.

    I have not yet tested the group Restriction but am eager to give it a go.

    Charles

    HP zBook 17 G3, G4, G5, G6; HP z220, HP z240, HP z420, HP z440, HP z840, HP Z4 G4, HP Z2 mini G4, Z2 mini G5, Dell Precision 3420 & 3430, Dell Precision... [view my complete system specs]
  • Fri, May 27 2022 1:12 PM In reply to

    • ck123
    • Top 500 Contributor
    • Joined on Wed, Jul 17 2013
    • PA
    • Posts 213
    • Points 2,685

    Re: Avid Link security vulnerability for facilities

    Subsequently, I did confirm that clicking Go To MyAvid in Avid Link bypasses the website sign in page. Avid - big no no.

     

    HP zBook 17 G3, G4, G5, G6; HP z220, HP z240, HP z420, HP z440, HP z840, HP Z4 G4, HP Z2 mini G4, Z2 mini G5, Dell Precision 3420 & 3430, Dell Precision... [view my complete system specs]
  • Wed, Jun 22 2022 5:23 AM In reply to

    Re: Avid Link security vulnerability for facilities

    I am trying to evaluate Avid for our company, using Avid First. But we're stuck. Avid Link won't connect, omegle and eventually crashes. Can anyone help?

Page 1 of 1 (5 items)

© Copyright 2011 Avid Technology, Inc.  Terms of Use |  Privacy Policy |  Site Map |  Find a Reseller