We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure. What happened An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication ...
I’d love to switch. I would do it right now, but the problem is that Jellyfin’s security isn’t better if you open it up to the internet. For example, I’d have to set up a VPN for my remote users for proper security, and most of my users are in other states, not technically inclined, and watch on their TVs. I’d have to at least support a raspberry pi for them, or some sort of site to site VPN, and if it goes down, I’ll be expected to fix it. On top of that, if I do a simple raspberry pi based VPN, it would be made even more complicated since they’d want it to work with their smart TVs.
Again, I really want to switch. But Jellyfin needs to fix their security issues before I can. I’m also happy with the way Plex is reporting this, it’s above the standard “your data is lost” notifications.
Edit: here’s a link to the related GitHub issue I’ve been following: https://github.com/jellyfin/jellyfin/issues/5415
And @[email protected] has a great thread explaining more: https://lemmy.today/comment/18923504
Jellyfin is great… As long as you’re the only one who needs to access the server. I’ve switched to using Jellyfin myself, but I still run Plex for others to access.
I’ve found that I get a smoother playback experience on Jellyfin, but even outside of potential security issues, there are a still couple of features I miss from Plex.
What are those features?
One was automatic collections, but the plugin for this has since been updated, and the bug I was experiencing has been fixed. The one remaining feature that I’m missing is user ratings for media. On Plex I have automatic collections of movies that I’ve rated four and five stars, and it’s quite useful.
My big complaint with Jellyfin is that their documentation showed a “fast forward” hotkey that convinced me to switch from Plex, and when I started it up it was a misnamed “jump forward five seconds” button instead.
It’s still better for my needs, but I remain angry.
Most of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account
Again, its not random. It’s not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you’re done
Put your files in a randomly named root folder and it’s fixed. Even still, isn’t the worst they could do pirating your service?
No, the worst is that a company like Sony or their lawyers can find my server and create a list of movies I offer and then sue me over it. I live in a country where lawyers make a living doing nothing but that.
Besides that, security by obscurity is the worst possible form and barely qualifies as security at all. It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.
And none of this is clearly communicated by the project. The unauthenticated endpoints are not disclosed, the issues with the filepath is not disclosed. Jellyfin fans treat it as a drop in replacement for Plex, but people using it as such basically throw an unauthenticated server onto the open web
The Jellyfin devs have quite clearly outlined some of the issues in the setup guides, and others are detailed in issues on Github. They do work on it, but most bad code was inherited and they have limited time on their hands to fix it, preferably in a way that doesn’t instantly mess up everyone’s setups.
They could put a banner in the network settings warning users about these security issues while they get them fixed, that doesn’t require fixing any inherited code. In the GitHub issue linked, there’s at least one upset user because they had no idea this was even a problem.
In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.
Another place? What else? You mean setting up you own server? That is in fact your responsibility.
I live in a country where making copies of movies and having them for private consumption isn’t illegal.
I wouldn’t blame the Jellyfin devs for this situation, they inherited a lot of bad code from Emby and are still cleaning it up.
If you hand wave those away then you can’t possibly have any issue with Plex.
I don’t have an issue with Plex. I don’t use it
I mean, that’s fine, but it’s still an issue and a risk that would cause me to want to use VPN for remote viewing. It doesn’t seem like security is Jellyfin’s priority at the moment, not that it’s Plex’s either, but it’s not to a place where it’s worth it to switch from a security standpoint, personally.
Plex has a whole team dedicated to security. It’s obviously not perfect and it is a larger attack surface than Jellyfin, but I’ll take that any day over devs who treat security as an afterthought
You mean the security team that got pwned here?
What about the pwned users of Jellyfin that have unknowingly had security holes for 5 years because Jellyfin doesn’t care enough to even put a banner in their settings to say it’s not secure?
Still better to have a team to react to this incident than just have them shrug and ignore it for 5 years
This is the same reason I haven’t switched. My parents use it to watch the local OTA channels and I have zero intention of supporting a site to site VPN on their home network and multiple mobile devices.
Thank you for that issues link. I keep trying jellyfin every now and then and I run into issues with general bugginess so I haven’t been able to switch. Seeing that it’s kinda full of security holes makes me even more reticent.