Found a security flaw connecting via VLC mobile


I have a share with read/write permissions allocated to one user on my Nas.

I downloaded VLC mobile app on my iPhone 6. On the app I went to the Local Network section. My nas appears as both a UPnP and SMB device.

If i select my nas under the uPnP i see two folders appear, Photos and Videos. From within these folders I am able to view all the content which should only visible to my nas user.

I haven’t entered any usernames and passwords on my VLC app. Why and how is my phone able to access the folder share which only one user should be able to access?

Am I doing something wrong?? How can I secure my photos and videos from this share?

EX4 - Firmware Version : 2.11.140
iPhone 6 - 9.4.3 with VLC

Because you gave UPnP enabled, which has no means of authentication.
If you don’t want that to happen, disable media serving for those shares.