• exu@feditown.com
    link
    fedilink
    English
    arrow-up
    6
    ·
    13 days ago

    Most of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account

    • MaggiWuerze@feddit.org
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      13 days ago

      Again, its not random. It’s not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you’re done

    • AmbiguousProps@lemmy.today
      link
      fedilink
      English
      arrow-up
      5
      ·
      13 days ago

      I mean, that’s fine, but it’s still an issue and a risk that would cause me to want to use VPN for remote viewing. It doesn’t seem like security is Jellyfin’s priority at the moment, not that it’s Plex’s either, but it’s not to a place where it’s worth it to switch from a security standpoint, personally.

      • MaggiWuerze@feddit.org
        link
        fedilink
        English
        arrow-up
        4
        ·
        13 days ago

        Plex has a whole team dedicated to security. It’s obviously not perfect and it is a larger attack surface than Jellyfin, but I’ll take that any day over devs who treat security as an afterthought

          • MaggiWuerze@feddit.org
            link
            fedilink
            English
            arrow-up
            4
            ·
            13 days ago

            Still better to have a team to react to this incident than just have them shrug and ignore it for 5 years

          • AmbiguousProps@lemmy.today
            link
            fedilink
            English
            arrow-up
            2
            ·
            edit-2
            12 days ago

            What about the pwned users of Jellyfin that have unknowingly had security holes for 5 years because Jellyfin doesn’t care enough to even put a banner in their settings to say it’s not secure?

            • emax_gomax@lemmy.world
              link
              fedilink
              English
              arrow-up
              1
              ·
              12 days ago

              What security holes? I think the bigger problem here is relying on a media platform to also maintain security protocols. Use authelia or plug some other well maintained and hardened security mechanism on top of jellyfin. Then put it in front of everything else like the arrs, etc. Its weird to me to just setup jellyfin, make it Internet facing, and believing everything is just gonna be safe and secure with no issue. Frankly id prefer if all these services came without security. Its a royal pain to bypass it for localhost or proxying with something like authelia.