We have recently experienced a security incident that may potentially involve your Plex account information. We believe the actual impact of this incident is limited; however, action is required from you to ensure your account remains secure. What happened An unauthorized third party accessed a limited subset of customer data from one of our databases. While we quickly contained the incident, information that was accessed included emails, usernames, securely hashed passwords and authentication ...
Again, its not random. It’s not a UUID. Its an md5 hash of the filepath. Which is easily guessable since most people have a very similar if not identical folder structure, especially since a lot have it managed by the *arr suite. take that plus the publicly available release names for movies and you’re done
Put your files in a randomly named root folder and it’s fixed. Even still, isn’t the worst they could do pirating your service?
No, the worst is that a company like Sony or their lawyers can find my server and create a list of movies I offer and then sue me over it. I live in a country where lawyers make a living doing nothing but that.
Besides that, security by obscurity is the worst possible form and barely qualifies as security at all. It’s also another place where the Jellyfin devs leave their users to their own devices when it comes to securing the server against malicious actors.
And none of this is clearly communicated by the project. The unauthenticated endpoints are not disclosed, the issues with the filepath is not disclosed. Jellyfin fans treat it as a drop in replacement for Plex, but people using it as such basically throw an unauthenticated server onto the open web
The Jellyfin devs have quite clearly outlined some of the issues in the setup guides, and others are detailed in issues on Github. They do work on it, but most bad code was inherited and they have limited time on their hands to fix it, preferably in a way that doesn’t instantly mess up everyone’s setups.
In fact security by obscurity is not security at all. In this case it should be authenticated or to the very least to actually use a random string like a uuid. But, changing the root path does prevent it from exploiting. Not perfect but a temporary solution.
Another place? What else? You mean setting up you own server? That is in fact your responsibility.
I live in a country where making copies of movies and having them for private consumption isn’t illegal.
I wouldn’t blame the Jellyfin devs for this situation, they inherited a lot of bad code from Emby and are still cleaning it up.