I find I’m less of a prick about things if I’m not called things like “prick” and “shill”.

Yet here we are. You’ve fulfilled the prophesy! Thanks for making the world a better place.

You can use Jellyfin with wireguard and still have what Plex does.

Okay… Run wireguard on a roku TV or other many other common media devices. You can’t…

Unless you want to run an open streaming service (which would probably be illegal in most countries anyway).

You can use Plex and JF both without actually hosting illegal content. You should still be worried about devs who refuse to fix a basic security issue that they actively block from being merged.

90% of Plex users probably don’t need what Plex does and would be happy with Jellyfin.

probably… and 99% of users likely have no idea how to secure things properly on their own. Which makes this whole premise even more dangerous for the “typical” person.

That’s not how the endpoint works. It is a randomized UUID.

It’s not. It’s an MD5 of the filepath. UUIDs are generic and random, not specifically tied to something.

https://github.com/search?q=repo%3Ajellyfin%2Fjellyfin+md5&type=code

If you do a basic search, you’ll find that most api endpoint generated values are simply md5 of the filepath. And they just call this a GUID in the code… it’s not. It’s completely determinable. And the problem with this is expounded considerably if you use a default docker config (so folder path is known) and an *arr stack (so filenames get standardized). How many people modify these things significantly? Pre-hash a few permutations and just check away… Get someone like Sony (who’ve installed rootkits on people’s computer before… so they don’t give a shit), and now you could find yourself in court.

https://github.com/jellyfin/jellyfin/blob/3936fc9f253d15ae31afbdfe5fcf1684c441263c/Jellyfin.Api/Controllers/VideosController.cs#L315 is the api call itself. No auth.

Depending on your security posture

Is exactly the problem I have though with the evangelical preaching all about jellyfin here. I’ve brought this topic up probably about a half dozen times in the 2 years I’ve been on lemmy… and a while longer before on Reddit. DOZENS of people comment the same things you are… and get it completely wrong. And many more end up messaging me or responding that they had no idea this was an issue. Yet I continue to see people singing praises of Jellyfin! and how it must be so much more secure! When it completely isn’t. So many people brush it off… then flip their shit about Plex doing something.

Especially since they’re gonna get blocked by http probing detection after a few tries.

If we’re talking “mitigations”. Plex is more secure by default… and if you want to get off their auth… you can access your network via VPN and set the VPN subnet as “local” so you don’t have to do their auth. But at least plex doesn’t just let unauthed people access whatever they can guess as a default out the box option. And certainly don’t have any security issues sitting around for 5+ years waiting for a dev to do something about it.

Edit: forgot to finish a thought. Finished it.

Edit2:

This was my only comment in the thread. Kinda feels like your reply here is taking out your frustration with this entire thread on my reply.

Which immediately points to Jellyfin… as if it was “better” somehow. while downplaying the actual issue without actually reading what I’m complaining about

That unauthentic endpoint shit is so overblown.

Overblown if you have mitigations? Sure… but how many do? And why are we treating software that is taking actual actions to better security as “Worse” than something that can’t clear a simple problem in 5+ years because devs don’t want to “break compatibility”.

Edit3: OH! forgot this as well… “well they’d need to know where to find servers before they can access them to check!” Yup… hello shodan! https://www.shodan.io/search?query=jellyfin Would be trivial to make a script that does all of this and crawls shodan or other sources for domain/ip information. Hell you can probably just look up all LE certs issued that contain “jf” or “jellyfin” or other permutations of subdomains too. But shodan has a list of 11,788 when I check… that’s not insignificant…

Stolen is a bit loaded in my opinion… XBMC was open source. All the parts that rely on that are available for free. Lots of websites out there sell shit… and run off of NGINX or Apache. taking open source things and building on them is common at this point.

I’m curious what youd think a kind of worst case scenario would be for any of the current jellyfin auth issues. Like what would someone with bad intentions be able to do?

Edit: Fuck, hit enter early… one moment. Edit2: here we go…

you have your setup… you configured it like the git repo said too and even used the container guide told you to (https://jellyfin.org/docs/general/installation/container/). You have now standardized the path… because the internal path that is recommended in the official compose will likely not change… (especially in the linuxserver version, https://hub.docker.com/r/linuxserver/jellyfin). Then you hear about *arr stack stuff and how people evangelize that on this platform too ( I’m one of them!). Standard naming convention gets applied there too…

So now bigbucksbunny.mov is stored on /data/movies/bigbucksbunny(2008)/bigbucksbunny.mov. You can pre-calc that md5 hash and probably nail people right now and get a result. Now be SONY or some other lawsuit happy studio. Grab a list of all your releases and precompile common paths and names (this would like be something that an LLM would be good at doing… fetching lists of paths that people post on reddit and other places)… generate the MD5 list. Maybe 1000 permutations of your top 10 movies… bonus points if there’s no physical release (since you could claim that you ripped the content yourself… can’t do that on streaming only content). Curl through the list of 10000 variants… if you get a hit on anything then you know they have your content… and it’s publicly accessible (which could be argued in court for distribution… though I’m not a lawyer and don’t know how reasonable that is.) You as the owner would then be on the hook… and lawsuits would commence promptly.

This is a potential “worse case” in my mind. Of course because they have evidence of access direct from your system, they can then subpoena access to the whole system… where your whole library becomes available for them to search further for more copyright violations and now your in real deep shit to explain to the courts.

Now… if you’re in a country that doesn’t care! Cool… just stop recommending Jellyfin to those that would get fucked by this. Are there ways to mitigate this highly? Absolutely… fail2ban, anubis, cloudflare bot detection shit, changing paths or adding GUID to your media library path… all can probably fix this… But none of that is in the jellyfin docs… and NOBODY else seems to mention it except for me when this discussion comes up… So how many people are actually doing it?

I’m in a thread where Plex admits, responds, then TAKES ACTION. Versus the open source project that’s known about an issue for 5+ years… and sticks their fingers in their ears and tells you that you’re the problem.

I guess that we’ll just reward that project that’s lucked itself into not having an issue rather than a product that actually is trying.

Edit: Oh… and the actual “loss” of data matters here… My email isn’t special. My username isn’t special… The hashed and salted password isn’t special to me. None of this data matters to me in the slightest in this instance. However, potentially probing the content on my server directly DOES matter to me.

Well, when I was talking about not techie people I didn’t mean technology analphabets, everybody can open a port in your consumer router with the help of chatgpt, not everybodies is able to realizes they need a reverse proxy with tls and modify the headers for the Auth…

Being secure in internet is like the herd inmunity for corona times, your system could be fairly secure, but if you are hammered with several bot nets it is going to be a challenge, and there is responsabiity is shipping a product that is easy to be infected.

And your third paragraph really confirms why this post is necessary

Jellyfinn has a nice record of problems during the authentication and escalating privileges, even the developer team recommends to use it behind a vpn and don’t expose it to internet.

If course, you can use a reverse proxy with and external Auth framework to mitigate it, pair it with fail2ban, geo restrictions and a second factor, but those things are not in the scope of the regular user.

Let’s face reality, plex is not such widespread for being the default option in kali Linux…

You’re exactly the kind of Jellyfin user the rest has to thank for the devs lax approach to security. If you actually demanded even basic security, the devs would maybe at least consider it a priority.

But until it no longer provides an unsecured API, you should maybe think about whether you want to portrait it as secure.

Jellyfin holds no sensible data.

Maybe if you don’t live in a country where piracy is actively prosecuted

And Plex is not easier to install and secure than Jellyfin.

You can literally start a Plex server from a exe on desktop windows. Don’t make a fool out of yourself.

Also it is immensely more secure, unless with “Jellyfin” you actually mean “Jellyfin plus a myriad of convoluted extra steps every user has to take by themselves since the devs can’t be arsed to follow basic standards for web security”

Sometimes your data is not important but your computer, nobody wants to be in a netbot.

Well, perhaps plex is not better in security (we don’t know for sure) but at least they have a cyber team, a monitoring system and in every bodies hope, dedicated developers for these topics.

Jellyfinn dies not hve a team like this one per se. Could the developers be better fit and knowledged in jellyfinn than plex? Perhaps, but probably the focus is in the features and not in the security

I don’t mean to come across as confrontational, but, maybe stop defending it then? You can keep using and liking the software while still holding the devs accountable for what is basic modern web security.

If all the Jellyfin users I saw acknowledging the issues actually stopped acting like it was a non issue, maybe the Jellyfin devs would do something about it.

That’s a valid domain, btw.