Hi. I observed that my LibreElec device (latest version) was visible on my windows PC so i started to fool around the folders just to learn about its structure...
I rapidly noticed that in /Userdata/passwords.xml, the credentials to my NAS are saved in clear (!)
This is not good, even if documented... really not good 
Don't make LE visible to your network. This is no different than any Kodi installation if you have access to the filesystem you can access passwords.xml so not LE specific.
@emvee I believe PhilippeB is talking about Samba shares /Userdata which is indeed readable by guest accounts when he tells about folders. By "folder" he is not talking about filesystem access but network share access (which have the same icon as any other folder in the file explorer thus I guess him not telling one from the other).
I see no passwords in this file here, but maybe I saved none.
Or do you mean no one should have access to port 445 on the libreelec box ?
Nothing was breached. LE intentionally ships with Samba enabled to mitigate support issues with typically low/no Linux skilled users and the default shares expose /storage/.kodi/userdata where Kodi subsequently stores passwords in cleartext. You can either disable Samba in the LE settings add-on (as you didn't choose to disable it when prompted during the first-run wizard) or you can configure a credential so there is no open access to the Samba shares.
NB: I'll take an action to formally document our insecurities in the wiki alongside installation instructions. They are widely discussed in the forum for anyone searching for info, but not the wiki.
