We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure.
What happened
An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication data.
Any account passwords that may have been accessed were securely hashed, in accordance with best practices, meaning they cannot be read by a third party. Out of an abundance of caution, we recommend you take some additional steps to secure your account (see details below). Rest assured that we do not store credit card data on our servers, so this information was not compromised in this incident.
What we’re doing
We’ve already addressed the method that this third party used to gain access to the system, and we’re undergoing additional reviews to ensure that the security of all of our systems is further strengthened to prevent future attacks.
What you must do
If you use a password to sign into Plex: We kindly request that you reset your Plex account password immediately by visiting https://plex.tv/reset. When doing so, there’s a checkbox to “Sign out connected devices after password change,” which we recommend you enable. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in with your new password.
If you use SSO to sign into Plex: We kindly request that you log out of all active sessions by visiting https://plex.tv/security and clicking the button that says ”Sign out of all devices”. This will sign you out of all your devices (including any Plex Media Server you own) for your security, and you will then need to sign back in as normal.
Additional Security Measures You Can Take
We remind you that no one at Plex will ever reach out to you over email to ask for a password or credit card number for payments. For further account protection, we also recommend enabling two-factor authentication on your Plex account if you haven’t already done so.
Lastly, we sincerely apologize for any inconvenience this situation may cause you. We take pride in our security systems, which helped us quickly detect this incident, and we want to assure you that we are working swiftly to prevent potential future incidents from occurring.
For step-by-step instructions on how to reset your password, visit:https://support.plex.tv/articles/account-requires-password-reset
Huh, I guess centralizing all of that userdata was a bad idea. Weird. If you hack some dude's Jellyfin, you just hack some dude and no one else.
You don't even have to hack jellyfin though. Quite a few endpoints aren't behind authentication at all.
But that doesn't help your case so I'm sure you'll just downvote me.
Edit: For those who don't know. https://github.com/jellyfin/jellyfin/issues/5415
Several issues. Some require being logged in with any account (to get other user information on the server, including admin)... others are endpoints that let media access if you guess a guessable md5 hash(which is normalized in docker setups in general... and standardized by *arr setups. So highly guessable if you use these tools... which most of you are). The sort of thing that media companies will absolutely abuse eventually if they're not already doing it to collect proof that you're hosting their content illegally. But I just find it laughable that this is the answer... but ya'll are frothing at the mouth over plex leaking an email address... Oh no! not the email address you already get boatloads of spam at! However will you live!
Endpoints that dont give you any data that would be considered a breach.
That unauthentic endpoint shit is so overblown. They should be authenticated and I hope it changes in the future, but its really not a serious issue. If they worry you, put the endpoints behind your own authentication through your reverse proxy.
Complete access to your media without authentication isn't "don't give you any data".
Meanwhile you're all frothing at the mouth cause Plex leaked email addresses and encrypted passwords.
And you're correct. It's not a breach... because it wasn't protected to begin with.
Edit: You ninja edited your post... bad nettiquette.
Breaks every app for jellyfin including tv apps. So no. that's not a valid answer.
Edit2: And I want to be clear about this... I don't simp for Plex I want off of the platform too... But Jellyfin in it's current state is a much worse security nightmare IMO. I can at least kill the plex relay binary and packet sniff it to know that it's not sharing data I don't want it to share. Jellyfin just lets everyone in that can guess a filepath (which you can "fix" by obfuscating it... but ask any security professional about that.) and somehow Jellyfin is the messiah? Devs ignoring a 5+ year old issue that already proof-of-concepted... is wild.
The media on my server is not what I'd consider private data, it's just media. If someone wants to spend their time brute forcing randomized UUIDs to have a minuscule chance of viewing some media on my server, then I really couldn't care less. Especially since they're gonna get blocked by http probing detection after a few tries.
If someone could the emails and hashed passwords, then I would care about the spam I'd be constantly receiving after and the possibility of my friends and family's passwords being exposed, as not all of them use secure passwords (despite my best efforts to convince them to change that).
Simply put, if I was using Plex right now, this breach would impact the many family members and friends using my server, something I'd feel guilty about. Meanwhile, with Jellyfin, none of these concerns would have any effect on them.
I edited it right after posting because I accidentally clicked post. Didn't think you'd respond that fast.
This was my only comment in the thread. Kinda feels like your reply here is taking out your frustration with this entire thread on my reply.
I assumed you were talking about stuff besides media playback. There are other endpoints that can be secure using your reverse proxy without breaking any apps.
That's not how the endpoint works. It is a randomized UUID.
Depending on your security posture, this may be an issue for you. It is not for me, and likely is not for many other users. My media is not sensitive information. My email and other identification info is.
Edit: formatting
It's not. It's an MD5 of the filepath. UUIDs are generic and random, not specifically tied to something.
https://github.com/search?q=repo%3Ajellyfin%2Fjellyfin+md5&type=code
If you do a basic search, you'll find that most api endpoint generated values are simply md5 of the filepath. And they just call this a GUID in the code... it's not. It's completely determinable. And the problem with this is expounded considerably if you use a default docker config (so folder path is known) and an *arr stack (so filenames get standardized). How many people modify these things significantly? Pre-hash a few permutations and just check away... Get someone like Sony (who've installed rootkits on people's computer before... so they don't give a shit), and now you could find yourself in court.
https://github.com/jellyfin/jellyfin/blob/3936fc9f253d15ae31afbdfe5fcf1684c441263c/Jellyfin.Api/Controllers/VideosController.cs#L315 is the api call itself. No auth.
Is exactly the problem I have though with the evangelical preaching all about jellyfin here. I've brought this topic up probably about a half dozen times in the 2 years I've been on lemmy... and a while longer before on Reddit. DOZENS of people comment the same things you are... and get it completely wrong. And many more end up messaging me or responding that they had no idea this was an issue. Yet I continue to see people singing praises of Jellyfin! and how it must be so much more secure! When it completely isn't. So many people brush it off... then flip their shit about Plex doing something.
If we're talking "mitigations". Plex is more secure by default... and if you want to get off their auth... you can access your network via VPN and set the VPN subnet as "local" so you don't have to do their auth. But at least plex doesn't just let unauthed people access whatever they can guess as a default out the box option. And certainly don't have any security issues sitting around for 5+ years waiting for a dev to do something about it.
Edit: forgot to finish a thought. Finished it.
Edit2:
Which immediately points to Jellyfin... as if it was "better" somehow. while downplaying the actual issue without actually reading what I'm complaining about
Overblown if you have mitigations? Sure... but how many do? And why are we treating software that is taking actual actions to better security as "Worse" than something that can't clear a simple problem in 5+ years because devs don't want to "break compatibility".
Edit3: OH! forgot this as well... "well they'd need to know where to find servers before they can access them to check!" Yup.. hello shodan! https://www.shodan.io/search?query=jellyfin Would be trivial to make a script that does all of this and crawls shodan or other sources for domain/ip information. Hell you can probably just look up all LE certs issued that contain "jf" or "jellyfin" or other permutations of subdomains too. But shodan has a list of 11,788 when I check... that's not insignificant...
Love you for still trying. I don't know how often I've written the same comment. They simply don't care.
I think people think that I'm anti-jellyfin or something. I'd love to dump Plex... I WANT to dump it so bad (basically the day they did the arcade shit I've been highly turned off, what was that? 6 years ago?). But Plex is the best tool for what I need. Jellyfin could be there... But it's not. Everytime I see it recommended blindly without the massive caveats (especially in the context of a random Plex fuckup that is substantially less of a problem) I just feel compelled to attempt to remind people. I dunno. Deaf ears maybe... but blind trust just because it's open source isn't the answer either. And honestly it turns me off contributing to some of the projects that I do because if I was to speak out about problems in those... how many people would listen?
The most succinct response I've seen on the matter "The statements The Jellyfin Project makes about exposing Jellyfin directly to the Internet, without a reverse proxy, is less about Jellyfin being insecure and more about there being no effort made to make Jellyfin secure."
Fair enough, I was not aware of this, and I wish the developers made this more clear in the issue thread. This does not change my point that my media is not confidential data. I do agree that it should be by default, but a "breach" where someone accesses a piece of media from my server has no tangible impact on me or my server. A breach that includes my email and account information, absolutely does.
I don't entirely understand what this response has to do with what I said. I'm surprised to hear you say that people praise Jellyfin as being far more secure than Plex, as I have not heard that. Security has nothing to do with why I use Jellyfin over Plex.
I feel it's overblown either way, as I don't believe the average user considers their media sensitive enough for it to be an issue. I'm not treating Plex as worse. Again, I'M NOT THE ONE WHO SAID ANY OF THAT. I am simply stating that in this specific instance, this Plex breach has a worse impact than the Jellyfin security concerns you bring up.
My guy, I didn't start the comment thread, I'm not the one who brought up Jellyfin. I also believe I responded to every point I made, while you ignored many of mine. I don't know how you can say I'm not reading your comment. You're being very weirdly hostile when I'm just trying to have a conversation. I don't have significant stakes in either Plex or Jellyfin. I do prefer one, but I don't give a shit what others want to use.
Just want to add that I'm not some completely uninformed user. I have a career in cybersecurity, as well as a degree and plenty of certifications. When discussing a vulnerability, we need to consider the actual risk of a vulnerability, using its likelihood of being exploited and its potential impact. The likelihood of someone attempting to brute force media on my Jellyfin is practically nonexistent, as they have essentially nothing to gain. At best, they find an episode of a show or movie that they could find elsewhere. The impact of someone exploiting this vulnerability is also practically nothing. They would get a stream of the video, minutely impacting the performance of my server.
Again, to be clear, I AGREE with sharing this information. People should be aware of this when using Jellyfin. However, it is not an issue for the majority of users. It is also not anywhere near as bad as a breach of actual account information, data that actually is sensitive. I do not agree with framing it to look like using Jellyfin should be considered generally insecure.
Edit: minor phrasing adjustments
Don't expose jellyfin to the internet and it won't be hacked. But you are forced to make a Plex account, if you want to use Plex.
Don't expose Jellyfin and you don't have a competitor program that does what Plex does... stop recommending it as a replacement if it's not a replacement. And this is ignoring that it's recommended to expose to the internet on their own documents.
You've missed the point. You can't be mad at plex for taking action and closing security gaps after becoming aware of them... then in the same breath recommend a service that can't even be on the internet because it's so poorly secured.
I'm angry about both, yet still prefer Jellyfin. Why? I control everything about it. I self host it and can choose who has access (including putting it behind a VPN). I have the code so I can patch it if I choose. I can even disable the problematic endpoints of I'm fine with the repercussions.
With Plex, i have to live with their central servers. With Jellyfin, I don't, and it's much less likely a corpo comes after me specifically than happens to see something via a Plex compromise.
I think both are fine services, and I appreciate Plex's response here. I still prefer Jellyfin.
While I whish access were secured at some point. I'm still yet to see one of those guessed hash attacks on the wild.
A good thing about Jellyfin is that we KNOW its insecurities because it's open source.
Other software may be insecure like that but you would only know after an incident happens because you cannot audit the source code.
Yup, and that's why I still use it despite its security issues. I run it in a rootless container, so even if there's some sort of breach, it should be contained.
Personally I wish I could just make authentication optional on my jellyfin just like it is for peertube and funkwhale.
That would be a perfectly valid answer... But the Devs have posted several times that they're not interested in resolving it.
I'd accept a checkbox on install of Jellyfin for "Check this box for better security... some unsupported software might not like this. Go to Options/blah/blah to change this later if you need to change this later."
I'd probably shut the fuck up about this whole thing and dump Plex. But every single time Plex ends up in an article there's people singing praises about Jellyfin when there's completely open endpoints... It just baffles me. Downvotes be damned, I'll bring it up though when I see it since the devs won't bother telling people their software has a potentially big problem (especially if you use default configs, docker, and *arr stacks).
Well its good to make sure people know about it, but I would think most admins already know and just don't care. Its certainly not news to me, and doesn't seem very useful in terms of actually exploiting anything.
I'm curious what youd think a kind of worst case scenario would be for any of the current jellyfin auth issues. Like what would someone with bad intentions be able to do?
I think the Plex issue with emails being stolen is a bigger problem because then those emails can get phished for their Plex accounts and possibility more. I still wouldn't consider it a huge deal though, Plex handled it correctly.
My real issue with Plex and why I constantly shit on them is that they stole from XBMC and made a business model that monetizes piracy or at least tries to.
Stolen is a bit loaded in my opinion... XBMC was open source. All the parts that rely on that are available for free. Lots of websites out there sell shit... and run off of NGINX or Apache. taking open source things and building on them is common at this point.
Edit: Fuck, hit enter early... one moment. Edit2: here we go...
you have your setup... you configured it like the git repo said too and even used the container guide told you to (https://jellyfin.org/docs/general/installation/container/). You have now standardized the path... because the internal path that is recommended in the official compose will likely not change... (especially in the linuxserver version, https://hub.docker.com/r/linuxserver/jellyfin). Then you hear about *arr stack stuff and how people evangelize that on this platform too ( I'm one of them!). Standard naming convention gets applied there too...
So now bigbucksbunny.mov is stored on /data/movies/bigbucksbunny(2008)/bigbucksbunny.mov. You can pre-calc that md5 hash and probably nail people right now and get a result. Now be SONY or some other lawsuit happy studio. Grab a list of all your releases and precompile common paths and names (this would like be something that an LLM would be good at doing... fetching lists of paths that people post on reddit and other places)... generate the MD5 list. Maybe 1000 permutations of your top 10 movies... bonus points if there's no physical release (since you could claim that you ripped the content yourself... can't do that on streaming only content). Curl through the list of 10000 variants... if you get a hit on anything then you know they have your content... and it's publicly accessible (which could be argued in court for distribution... though I'm not a lawyer and don't know how reasonable that is.) You as the owner would then be on the hook... and lawsuits would commence promptly.
This is a potential "worse case" in my mind. Of course because they have evidence of access direct from your system, they can then subpoena access to the whole system... where your whole library becomes available for them to search further for more copyright violations and now your in real deep shit to explain to the courts.
Now... if you're in a country that doesn't care! Cool... just stop recommending Jellyfin to those that would get fucked by this. Are there ways to mitigate this highly? Absolutely... fail2ban, anubis, cloudflare bot detection shit, changing paths or adding GUID to your media library path... all can probably fix this... But none of that is in the jellyfin docs... and NOBODY else seems to mention it except for me when this discussion comes up... So how many people are actually doing it?
Okay so they violated the GPL to produce their product, it started off on good terms and contributing back up stream but then they got greedy and decided to stop giving back, On top of that they also provide nothing upstream to FFMPEG or any other of the open source projects they benefited massively from... basically they are leeches of open source software... but you are technically correct [1] to say its not literally stealing.
[1] The best kind of correct
I just edited what I meant to originally send.... Now I'm replying so you get flagged and can look at it. Sorry that I fat fingered the enter button and jacked up the thread. My bad.