- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What weāre doing
Weāve already addressed the method that this third party used to gain access to the system, and weāre undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, thereās a checkbox to āSign out connected devices after password change,ā which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says āSign out of all devicesā. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you havenāt already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
Itās not. Itās an MD5 of the filepath. UUIDs are generic and random, not specifically tied to something.
https://github.com/search?q=repo%3Ajellyfin%2Fjellyfin+md5&type=code
If you do a basic search, youāll find that most api endpoint generated values are simply md5 of the filepath. And they just call this a GUID in the code⦠itās not. Itās completely determinable. And the problem with this is expounded considerably if you use a default docker config (so folder path is known) and an *arr stack (so filenames get standardized). How many people modify these things significantly? Pre-hash a few permutations and just check away⦠Get someone like Sony (whoāve installed rootkits on peopleās computer before⦠so they donāt give a shit), and now you could find yourself in court.
https://github.com/jellyfin/jellyfin/blob/3936fc9f253d15ae31afbdfe5fcf1684c441263c/Jellyfin.Api/Controllers/VideosController.cs#L315 is the api call itself. No auth.
Is exactly the problem I have though with the evangelical preaching all about jellyfin here. Iāve brought this topic up probably about a half dozen times in the 2 years Iāve been on lemmy⦠and a while longer before on Reddit. DOZENS of people comment the same things you are⦠and get it completely wrong. And many more end up messaging me or responding that they had no idea this was an issue. Yet I continue to see people singing praises of Jellyfin! and how it must be so much more secure! When it completely isnāt. So many people brush it off⦠then flip their shit about Plex doing something.
If weāre talking āmitigationsā. Plex is more secure by default⦠and if you want to get off their auth⦠you can access your network via VPN and set the VPN subnet as ālocalā so you donāt have to do their auth. But at least plex doesnāt just let unauthed people access whatever they can guess as a default out the box option. And certainly donāt have any security issues sitting around for 5+ years waiting for a dev to do something about it.
Edit: forgot to finish a thought. Finished it.
Edit2:
Which immediately points to Jellyfin⦠as if it was ābetterā somehow. while downplaying the actual issue without actually reading what Iām complaining about
Overblown if you have mitigations? Sure⦠but how many do? And why are we treating software that is taking actual actions to better security as āWorseā than something that canāt clear a simple problem in 5+ years because devs donāt want to ābreak compatibilityā.
Edit3: OH! forgot this as well⦠āwell theyād need to know where to find servers before they can access them to check!ā Yup⦠hello shodan! https://www.shodan.io/search?query=jellyfin Would be trivial to make a script that does all of this and crawls shodan or other sources for domain/ip information. Hell you can probably just look up all LE certs issued that contain ājfā or ājellyfinā or other permutations of subdomains too. But shodan has a list of 11,788 when I check⦠thatās not insignificantā¦
Love you for still trying. I donāt know how often Iāve written the same comment. They simply donāt care.
I think people think that Iām anti-jellyfin or something. Iād love to dump Plex⦠I WANT to dump it so bad (basically the day they did the arcade shit Iāve been highly turned off, what was that? 6 years ago?). But Plex is the best tool for what I need. Jellyfin could be there⦠But itās not. Everytime I see it recommended blindly without the massive caveats (especially in the context of a random Plex fuckup that is substantially less of a problem) I just feel compelled to attempt to remind people. I dunno. Deaf ears maybe⦠but blind trust just because itās open source isnāt the answer either. And honestly it turns me off contributing to some of the projects that I do because if I was to speak out about problems in those⦠how many people would listen?
The most succinct response Iāve seen on the matter āThe statements The Jellyfin Project makes about exposing Jellyfin directly to the Internet, without a reverse proxy, is less about Jellyfin being insecure and more about there being no effort made to make Jellyfin secure.ā
Yeah, me as well. I have a Jellyfin configured and ready to go, but since I share my Plex with a lot of users, half of whom would be turned off by the need of a vpn, I wonāt switch until theyāve sorted their shit out.
Thatās exactly it. And I feel the devs found that their users donāt care or will even defend it, so they wonāt tackle it and avoid the problems that come with a rewrite of parts of their api. Plex gets flag for not adding quality of life features people want for the media player, but Jellyfin gets a pass for actual security issues.
It seems strange to me that you feel a service which forces you to log into a cloud service then leaks private data is somehow better than a service that allows users to operate strictly offline.
Feels strange to me that we just accept
comments like these that imply that jellyfin is a direct replacement for Plex when you yourself say itās not. Especially an implication that youād only āhack oneā when the software itself has a massive gaping hole on ALL installs. Your only saving grace is if you deviate from āstandardā install procedures.
Iāve already mentioned it several times. I want to dump Plex. I donāt like the SSO that they solely control. I donāt like many of the changes that theyāve made in the 12 years Iāve been using it. Itās still the best product for watching my content.
Nobody is running Jellyfin strictly offline. At the bare minimum people leave it internet connectable to grab metadata and other resources, and more realistically in the context of a topic about Plex, Jellyfin would need to be internet accessible because thatās why people are using Plex. The jellyfin devs have already made it clear they donāt care about security issues. Why are you trusting the software when they ignore simple to fix issues that have merges waiting but they wonāt implement because āreasonsā. What other issues could be lurking leaving you open for liability? If someone can show you an issue from 5 years ago that is categorically a security issue and the devs refuse to fix it⦠you should also be questioning EVERYONE who advocates itās use to replace a service thatās meant to be accessible in the way Plex is.
Edit: adding a little bit⦠forgot about it.
I didnāt say that. I agree with it though. They arenāt 1:1.
Iām not arguing with me about the merits of you using Plex. Entirely possible it suits your needs better. But most important to many of us is the ability to run offline. Once youāre online, youāre right that Jellyfin has some ground to make up.
I run it offline, in a network that doesnāt even have a path from the outside world. I have a separate gluetun network for getting metadata outside the media server. Even still, connecting to the internet is a vastly different security service that allowing connections from the internet.
I wouldnāt even really debate any of your negative points about Jellyfin; all true. Iām just saying Jellyfin is a replacement for Plex in many cases, even if not yours. For me, where I want to run offline a service that doesnāt force me to log into a cloud server to watch my own stuff on my own network, it is a replacement. And on top of that, I just like it more. I like the interface more and feel its syncplay is less problematic.
I was referencing the picture⦠which was the original comment I replied to. I recognized that your comment delineated that jellyfin should be offline. I appreciate that. I wish I saw more of that. This way we donāt screw the new people to our media hoarding ranks. (I mean seriously⦠Thereās people like this out there⦠https://www.shodan.io/host/180.125.230.199 Theyāre part of this community⦠somewhere.)
It is⦠And Iām actually quite jealous that you have people using your server that you can watch movies together with⦠and are all using and capable of using a tunnel service without stupid amounts of support or other equipment limitations (good luck getting a vpn working on a Roku tv!). But if I want to syncplay with my family⦠plex is the only sane answer, regardless of itās functional flaws.
Edit: or even worse⦠This personā¦https://www.shodan.io/host/136.61.116.233 Where you can see the jellyfin service user that has a valid login on rdp⦠and their jf is accessible at jellyfin.nonooculusnas.com. Itās even behind Nginx Proxy Manager! (which is recommended by the JF dev team) Yet still responds to probing for contentā¦
If I were you, I wouldnāt even let the others flabbergast you!
Thank you so much for providing so much detail in your comments. I have actually learned a thing or two about Jellyfin. I, like you, am wanting to get off Plex ASAP, but havenāt had the time to sit down and go through with it just yet. Thanks to you, I see those Shodan examples you provided, and the fact that their freaking LOGIN shows up is beyond scary to me.
I appreciate what you have shared. Thank you!
eh, Iām probably pretty grumpy about this discussion because I keep having the same exact 4-5 talking points ādiscussedā over and over just every few months. So I get that Iām probably not the most fun to interact. But this is the point. If nobody ever brings up these issues (including the JF devs themselves on their install documents) then we end up with more people like these shodan people.
The JF devs had a 5 year opportunity to close one massive big hole, that would have been simple and easy. The issues related to it are well known to the dev team and proof of concept was submitted over 5 years ago to them. They actively refuse to merge the code that would fix it because of āreasonsā (most cited being ācompatibilityā with some players). And the most cited solution is āreverse proxyā, which is fine⦠but donāt resolve the problem on itās own. Case and point with the second shodan link you can reach their instance and you can try the calls and it still āworksā even though itās behind NGINX.
This is a massive problem that isnāt being abused yet that we know of⦠but that problem is in EVERY JF instance⦠and has been the whole time JF has been a project since that problem was in the version of emby that JF is forked from. So to say that āPlex bad cause security!ā when they specifically notify and do the ārightā things in response to a problem is crazy when JFās answer has been literal crickets for half a decade.
But yeah, Shodan in general is a really fun tool. Itās good habit to check your own stuff out and see what youāre exposing to the world thatās just findable.
Hereās another thing lots of people overlook. If you use letās encrypt or some other service⦠look into pulling wildcard certs instead of your specific jellyfin subdomain. https://crt.sh/ and other sites will record every public cert thatās registered. Pop your own domain in⦠Can search for all sorts of stuff this way too.
I agree. Iād 100% love to dump Plex immediately, but trying to get my MIL across the country to setup a VPN is just not going to happen. Even if I ship a preconfigured raspberry pi over there, it wonāt work for her TV and if it breaks, sheās gunna want me to go out there and fix it. If Jellyfin ever gets it together enough for that to no longer be necessary, Iāll leave plex. But for now, Iām gunna unfortunately stay with Plex
Fair enough, I was not aware of this, and I wish the developers made this more clear in the issue thread. This does not change my point that my media is not confidential data. I do agree that it should be by default, but a ābreachā where someone accesses a piece of media from my server has no tangible impact on me or my server. A breach that includes my email and account information, absolutely does.
I donāt entirely understand what this response has to do with what I said. Iām surprised to hear you say that people praise Jellyfin as being far more secure than Plex, as I have not heard that. Security has nothing to do with why I use Jellyfin over Plex.
I feel itās overblown either way, as I donāt believe the average user considers their media sensitive enough for it to be an issue. Iām not treating Plex as worse. Again, IāM NOT THE ONE WHO SAID ANY OF THAT. I am simply stating that in this specific instance, this Plex breach has a worse impact than the Jellyfin security concerns you bring up.
My guy, I didnāt start the comment thread, Iām not the one who brought up Jellyfin. I also believe I responded to every point I made, while you ignored many of mine. I donāt know how you can say Iām not reading your comment. Youāre being very weirdly hostile when Iām just trying to have a conversation. I donāt have significant stakes in either Plex or Jellyfin. I do prefer one, but I donāt give a shit what others want to use.
Just want to add that Iām not some completely uninformed user. I have a career in cybersecurity, as well as a degree and plenty of certifications. When discussing a vulnerability, we need to consider the actual risk of a vulnerability, using its likelihood of being exploited and its potential impact. The likelihood of someone attempting to brute force media on my Jellyfin is practically nonexistent, as they have essentially nothing to gain. At best, they find an episode of a show or movie that they could find elsewhere. The impact of someone exploiting this vulnerability is also practically nothing. They would get a stream of the video, minutely impacting the performance of my server.
Again, to be clear, I AGREE with sharing this information. People should be aware of this when using Jellyfin. However, it is not an issue for the majority of users. It is also not anywhere near as bad as a breach of actual account information, data that actually is sensitive. I do not agree with framing it to look like using Jellyfin should be considered generally insecure.
Edit: minor phrasing adjustments
Until a media company like Sony scans your server for their content and serves you a summons⦠Then it will have a significant impact on you. And I doubt the content that Plex leaked actually has any meaningful impact at all. It sucks⦠and is bad⦠but shit happens and nothing is perfect. Iām much more trusting of a company that actually responds and fixes problems that gets reported than one that hides in the corner with finger in ears for 5+ years.
Weāre on a thread where Plex is being derided for a security problem⦠Where the principal comment I responded to says āGlad Iām on Jellyfinā. This is an implicit ājellyfin doesnāt have this problem, itās secureā statement. Otherwise thereād be no point or relevance to the comment for the topic at hand.
You wrote
You are perpetuating that Jellyfin is āsecureā to use on the internet. I was directly referencing what you said. Iām not sure why you keep thinking Iām talking about something else.
Iām a CISO. I hire people like you and give you your job. Iām also no ācompletely randomā but playing the appeal to authority card is stupid on a random internet forum. If I were to leak content secured by the applications that I have security ownership of. Iād be completely fucking jacked. Leaking emails and password hashes are meaningless⦠emails are all well known and password hashes means I just force reset the entire userbase and move on. Plexās āleakā is annoying⦠but not actually sensitive at all. You should know this. It will take a significant amount of time for the bcrypt+salted+peppered passwords to actually be decrypted. Thereās LOTS of time to hash that out, this email is the start of that process.
Now if your media isnāt worth securing⦠then why use authentication at all on Plex or JF? Why do you care about your account auth that protects your media if the media isnāt worth protecting? Why is it your default stance that exposing the media is such a nonissue⦠that your more worried about the data that secures your media more than the actual security of the media?
Unless youāre a media company like Sony, WB, or other company that actually has ownership rights of the IP that youāre storing. Remember⦠Sony has done things like install rootkits on their consumers computers in order to stop piracy. Why do you think that theyāre above asking servers freely if they have their copyrighted content?
The impact isnāt a technical one. but a legal one. And JF could close that door and keep the media confidential in of itself so that this is a non-issue all together but specifically wonāt because of ābackwards compatibilityā. But somehow you trust them to make secure decisions elsewhere with your content?
If you believe the threat of a company scanning a Jellyfin server in an attempt to find copyrighted media is a realistic one, then thatās fine. I do not.
As I said previously, friends and family use my server. Many who are likely to fall for phishing attempts after their email is leaked in a breach like this. I believe the likelihood of them receiving a malicious email from an attacker pretending to be Plex after a breach is much higher than a company successfully scanning my server for copyrighted materials.
Edit:
Like Iāve said a few times. I agree that this should be changed. I do very much hope that Jellyfin does so, and I do feel that itās worth warning users about. I also still find Jellyfin to be a better option for me than Plex. My own risk tolerance allows for the incredibly tiny possibility a company successfully finds media on my server.
There is no point in continuing this discussion, as we simply disagree, and that is not going to change here.
So now your users could be phished by a Plex phish⦠which gets the attacker access to your plex instance upon success? But you already said that you donāt find that worth securing since in JF itās not secure by default⦠Iām fully not understanding here. Is the worry that your users are reusing passwords?
Any user for your system getting an actual phish for plex will at worst get a request to pay for something. Of which I bet theyād talk to you about it as the server owner first since I doubt anyone would want to pay for something youāve given them for free.
Iām not seeing the risk here. Want to expound on that? I can clearly see the risk of direct media access if copyright holders start making random claims for things they find on default insecure servers.