Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
Honestly, is the problem that they need extra hands to fix these issues?
Many of these have already been fixed FWIW, it’s not a collection of open issues.Nevermind, they have only been closed, not fixed. Yikes.No. None of the items are closed. Click the “closed” items. All of them are “Not planned. Duplicate, see 5415”.
Edit: The biggest issue of unauthenticated streaming of content… https://github.com/jellyfin/jellyfin/issues/13777
Last opened last week. closed as duplicate. it’s unaddressed completely.
That’s really sad. Damn, how disappointing.
I mean it was closed as a duplicate of the collection, not closed.
PluginsController only requires user privileges for potentially sensitive actions
- Includes, but is not limited to: Listing all plugins on the server without being admin, changing plugin settings, listing plugin settings without being admin. This includes the possibility of retrieving LDAP access credentials without admin privileges.
Outch
I remember when they were arguing that you don’t need a VPN or proxy basic authentication in front of it because their team knows how to write secure code…
There’s a bug (closed as won’t fix) where proxy basic authentication breaks jellyfin. You can’t use it.
I’m not sure who needs to hear this, but unless you work as a security engineer or in another security-focused tech field, you really shouldn’t be exposing your homelab to the open internet anyway
Most people access their homelabs via VPN - i don’t see anything here that’s a problem for that use-case.
Many people host websites ;)
And I would hope those websites are extremely low-risk and not anywhere near essential infrastructure or data ;)
I need to run a VPN already. Fine for desktop, but this isn’t a solution for mobile (where you can’t run two VPNs simultaneously)
It’s actually possible to run 2 VPNs simultaneously on mobile using RethinkDNS which is an app available on F-Droid. For example I’m currently connected to MullvadVPN and my home network at the same time using two WireGuard configs.
Can you order the wireguard connections?
Eg I want my connections to my home server VPN to first go through my mullvad VPN. Because I dont want any connections coming out of my device that don’t go through a shared VPN or Tor.
This may be easier to do on your home network’s router. For instance, mine allows me to set it up as a VPN host, and also to connect to a VPN provider. It has the option to pass all of the connected clients through the connected VPN. So for instance, if I connect my phone to my home VPN, and my home router is connected to Mullvad, my phone’s traffic also gets passed through Mullvad.
@jagged_circle from my experience with it, I don’t think it’s possible to route VPN traffic via another VPN. It only lets you split tunnel app traffic via multiple VPNs of choice as per attached image.
Another way to achieve something similar would be to setup a work and a private space (recently introduced on android). Each can run it’s own VPN connection which allows you to run 3 simulataneous VPN connections on android.
Omg thank you!
For those unaware, it’s a good idea to be using a service like tailscale (self hosted=headscale if you don’t want to make your login credentials tied to apple, google, or Microsoft). It’s a VPN but a lot simpler to use.
I dont know what that means.
Can I use that in addition to another VPN on mobile?
Afaik android doesn’t allow two VPNs at the same time. If you have a VPN back to your home already, like via your router, you don’t need tailscale although I’d argue it’s still better.
If you mean a VPN like mullvad, afaik you can’t mullvad and tailscale at the same time. I may be wrong but I gave up on global VPNs a while ago.
You can, its an option if you use tailscale. https://tailscale.com/mullvad
Also look into using tailscale lock to secure things more if you do decide to use it
Oh right I forgot about that, cool. Should see if you can do this with headscale (ie client feature vs server feature)
If my server is already open to everyone, what kind of potential attacks do i need to be worried a about? I dont keep personal files on my streaming server, its just videos, music and isos/roms. I dont restrict sign ups, so the idea of an unauthorized user doing something like download a video is a non issue for me really.
I do see where there could be problems for folks running jfin on the same server they keep private photos or for people who charge users for acess, but thats not me.
Am i missing something or is the main result of most of these that a “malicious” actor could dowload files jellyfin has access to without authentication?
I guess the worst thing is that your server starts attacking the US military servers because you’ve become part of a botnet.
That happened to my friend one time when I installed Linux on his computer. He made the username and password the same 4-character word. Got a letter from the DoD.
I dont think they would be so forgiving these days. Especially if you’re brown.
With unrestricted signups, they can obtain their own account easily. With their own account they can enumerate all your other users.
If they have their own account they can just find your instance, make a login, collect all the proof they need that you’re hosting content you don’t own (illegally own) then serve you a court summons and ruin your life.
I wouldn’t worry about the vulnerability in the link since your already wide open. But I wouldn’t leave Jellyfin wide open either. Movie and TV studios are quite litigious.
I hope you’re at least gatekeeping behind a vpn or something.
Edit: typo
Well it’s hosted in The Netherlands and I did take some steps to protect my own identity in regards to registration info, but if the studios did take an interest i’d probably have some fun with it by decaliring bankrupcy and dragging out the appeals.
I mean, sure… but you’d actually have to reasonably liquidate most of your assets at that point. You can’t just “claim” bankruptcy and do literally nothing to sate your debts. Of course this is different on a jurisdictional basis… but overall, you have to sell a lot of your stuff in order to do a proper bankruptcy.
It can decimate any savings you have for retirement.
What assets?🤣
Depending on where you live, it can be up to “all and anything that you may come into direct or indirect ownership of, for the following x years”. Get a job? No salary for you. Want to drive a car? Can’t have insurance on a car that’s not yours. Inheritance? Nope. Get married? Now half of your spouse’s salary is gone. And so on.
You better hire a good lawyer if you want to declare bankruptcy… and how are you going to pay them?
Fair enough if you don’t actually have any… but the courts will still make that decision for you. Some things might count that you don’t expect.
Can someone ELI5 this for me? I have a jellyfin docker stack set up through dockstarter and managed through portainer. I also own a domain that uses cloudflare to access my Jellyfin server. Since everything is set up through docker, the containers volumes are globally set to only have access to my media storage. Assuming that my setup is insecure, wouldn’t that just mean that “hackers” would only be able to stream free media from my server?
If you use normalized paths/file names (through *Arr stacks or docker mounts or otherwise common tools), then the hash that jellyfin sets up when it imports that media can be guessable. If someone was to go and precompile a list of hashes for content that they’re looking for at common paths that people store their files at, they can ask your server for those hashes, and if their list is sufficiently large enough to include the path that you used, your jellyfin instance WILL RESPOND WITHOUT AUTHENTICATION.
I’ve been using this example because it shows how silly this is.
In the context of Sony’s top 1000 movies, they can pre-compile the top 100 likely paths for the file (/movies, /mnt/movies, etc) then run the 100000 hash check through scripts against your instance. How long does it take to let a crawler collect http statuses on 100000 page loads? Now put that to a bot that gets jellyfin instances from a tool like shodan and add more hashes. If you flag, now onus is on you to prove you have license for content and they would have a case that you distributing (albeit weak) since your server was open to the public. This is child’s play level abuse-able. Risking that something easy like this isn’t being abused by Sony and others (you know… willing to install a rootkit on your computer types…) is a very silly stance to take.
The answer to some of this is that you can just hide the content on a more complicated and less likely to guess path. That will sufficiently change the MD5 hashes enough that you should be more or less unguessable… Instead of using
/mnt/media/movies(or /media/movies, or /movies/, etc…) make the path/mnt/k9RKiQvUwLVCjSqhb2gWTwstgKuDJx59S3J35eFzW2dgSSp84EG7PPAhf2MwCySt/media/movies. (obviously don’t use this one… use a random generator. Make your own.)The real answer should be that Jellyfin requires that all those endpoint need authorization/login. But their answer is “We don’t want to break backwards compatibility. So we won’t.” Which is a bit silly of an answer. Those who use the default installation and organize their content with *arr suites (or with default docker settings/guide settings), are most likely to have guessable MD5 hashes and are most at risk.
Edit: Oh and the other point… if the “response” against this is “well that would take too long, or be too hard. You’d need a lot of money to find all these instances and test them…”. We’re talking about the likes of Sony… The ones that installed rootkits on peoples computers for daring to put a CD into a CD-ROM drive. They’re litigious folk, and will bury you in paper and sue you to oblivion. It’s not a lot of machine time to test a single server. Setting up a couple dozen scanners and just letting it go to find content on it’s own isn’t that bad from a computational standpoint.
And another argument I’ve seen here… “Well if they hack your server then that’s illegal too, can’t make a lawsuit out of that”… Except this is normal web operations. Bots and site scanners aren’t illegal. Nor do they break any authentication mechanism (which is illegal) to do this. Specifically putting this behind authentication would make you correct. But Jellyfin didn’t do that (yet). So guess what. It’s perfectly possible for them to setup a few scanners across a few servers and do this 100% legally.
Security through obscurity isn’t security.
Edit2: Clarification on not using the path I just gave… make up your own random gibberish.
I think I understand now. Thank you! I will be changing my paths then. It’s kind of a moot point since I’ll change my paths anyway, but for the sake of my own curiosity, i have a follow up question. Feel free to disregard it if you don’t feel like taking the time to answer.
Hypothetically, my docker setup only allows jellyfin to see /mnt/user as /storage. So jellyfin would report the path to Morbius as being:
/storage/hdd1/media/movies/Morbius_all_morbed_up.mkv
when in all actuality it would be:
/mnt/user/hdd1/media/movies/Morbius_all_morbed_up.mkv
My intuition tells me that the file path that jellyfin “sees” would be the security risk. So “/storage/hdd1/…” Is that correct?
My intuition tells me that the file path that jellyfin “sees” would be the security risk.
Your intuition is correct. JF will generate the MD5 hash based on the path that it’s accessing with. So if it’s normally a unique path then you mount it into the docker container as
/movies/or/mnt/moviesor what have you… Then you lost the uniqueness, all that’s seen is the internal docker path. This is why I also lumped “using docker” into the party side by side with “using *arr stack”. Most people will find a compose file and just modify the left side of the volume declaration to point at their media. And most dockers are going to have simple internal mounts in their example compose files.Both Arr and Docker will end up pushing people to standardize the path, then the filename. Using both together compounds the issue and they tend to standardize different parts of the path.
Or you become part of a bonnet and attack your own government’s military. Then you get some very angry knocks on your door and a black back over your face.
And, if you’re brown, probably some electrodes on your genitals until you sign a written confession.
This isn’t happening. The government understand what a botnet is, and if tens or hundreds of thousands of compromised machines are involved, they aren’t coming after you for being part of the attack.
They might send you mail telling you to take care of your shit though.
Some countries have recently been snatching brown people off the streets for any reason. And firing all the smart folks who might know what a bonnet is
Be reasonable, we’re talking about States here.
Huh, I can’t check the link right now… But if exposing Jellyfin to the Internet is not an option, then it is not ready to be shipped as the Plex replacement I have heard a lot here and on Reddit.
The linked post is from 2021. Many of the items were already closed. This looks like fear mongering.
No. None of the items are closed. Click the “closed” items. All of them are “Not planned. Duplicate, see 5415”.
Put the instance behind another authentication point like a VPN or reverse proxy with SSO. That will prevent the wider Internet from accessing it without legitimate users being cut off. You should be doing this with any server you operate (like Plex), but definitely one that may have legal implications.
aaaand now you smart tv can’t connect. none of them. the clients dont even support http basic auth creds put into the URL for some crazy reason.
for advanced HTTP-level authentication you would need to run a reverse proxy on the TV’s network that would add the authentication info. for the VPN idea you would need to tunnel the TV’s network’s internet connection at the router. or set up a gateway address in the TVs network settings that would do that. or use a reverse proxy here too so that it repeats the request to the real server.
but honestly, this is the real and only secure way anyway. I wouldn’t be comfortable to expose jellyfin even if the devs are real experts. I mean vulns get discovered, in dotnet, jellyfin dependencies, linux filesystem, and reverse proxy, and honestly who has time to always tightly keep up to date with all that.
that’s not to discount the seriousness of the issue though, it’s a real shame that jellyfin is so much against security
Your smart TV is (presumably) on your local network, so you should be routing the requests locally (point the client at the local ip, assuming it didn’t autodiscover it) not through the VPN/ tunnel.
Your smart TV is (presumably) on your local network
often, but not always. sometimes the TV is at a different house, when you are a guest or at a second property
In which case there are still ways to make it work, like putting in an SSO bypass rule for the IP of your other property. Point is, under no circumstances is it impossible to both have it be protected against scanning attacks like the ones described in the gh issue, and keep it available to use over the internet for authorized users.
Or even just on a differently vlan that you want to go through your reverse-proxy because that is where your security features are to separate you from shit you don’t trust.
I am sorry, I don’t think I follow, I am CGNATED anyway, so I need to use VPNs to access my server (if IPv6 is not available, for IPv4 I am experimenting with Tailscale funnels as of now).
You should already be fine in that case.
Do we even know that Plex is better? It’s closed source and hasn’t been audited afaik
Do we even know that Plex is better? It’s closed source and hasn’t been audited afaik
Yes… because you can take the raw request your browser makes… remove your auth cookie and replay the same request and it fails.
Closed source doesn’t mean that it can’t be tested for problems. Just means that you can’t go to the code to understand why it’s a problem. You can still see that the problem exists (or doesn’t in this case).
Edit: I haven’t tested every api endpoint myself… but for video files it doesn’t work. It’s not vulnerable to the same thing that JF is in that specific case.
It is if you have compared them together.
I haven’t recently thought and I am a lifetime Plex pass user (we will see what lifetime truly means sooner or later) and I have still been unaffected by most of the changes Plex has done (watch together is the 1st valuable feature that I have lost), so if you can’t expose Jellyfin then it is not better than Plex for me.
Agreed. I’m a bit disappointed that it’s being touted as such. If you need a local LAN option, use VLC Player.
It’s a list from 2021 and as a cybersec researcher and Jellyfin user I didn’t see anything that would make me say “do not expose Jellyfin to the Internet”.
That’s not to say there might be something not listed, or some exploit chain using parts of this list, but at least it’s not something that has been abused over the last four years if so.
Yea many of the linked issues are already closed. Why is this post not down-voted like crazy?
No. None of the items are closed. Click the “closed” items. All of them are “Not planned. Duplicate, see 5415”.
The same reason FUD is so popular in regular news.
Agreed, this is a valid list of minor concerns but this is just a fearmongering post. It’s not good that some metadata can leak but if you take normal precautions (i.e. don’t run this next to your classified information storage) it’s fine to open this so your friends can watch media.
Source: me and my Masters degree in cybersecurity (but apparently OP just learned about Kerckhoff’s principle and rainbow tables in a completely incorrect context so I know how to do my job or smth lmao)
Edit: lol don’t look at OPs post history, now I know where the fearmongering came from
Source: R1 masters professor. Literally the person you would have needed to take the class from on the topic at my institution.
This is a problem simply because most paths and names will be similar due to *arr suites and docker mounts normalizing them to a standard that jellyfin wants to see. In the context of Sony’s top 1000 movies, they can pre-compile the top 100 likely paths for the file (/movies, /mnt/movies, etc) then run the 100000 hash check through scripts against your instance. How long does it take to let a crawler collect http statuses on 100000 page loads? Now put that to a bot that gets jellyfin instances from a tool like shodan and add more hashes. If you flag, now onus is on you to prove you have license for content and they would have a case that you distributing (albeit weak) since your server was open to the public. This is child’s play level abuse-able. Risking that something easy like this isn’t being abused by Sony and others (you know… willing to install a rootkit on your computer types…) is a very silly stance to take.
The hash that’s used to represent the path isn’t salted or otherwise unique.
Edit: mobile typos.
If I have rate limiting set up (through crowdsec) to prevent bots from scanning / crawling my server, should I be as worried?
Probably not. But depending on how it’s configured it could still be a gamble/risk. A rate limiting setup can mitigate it a lot.
but if you take normal precautions (i.e. don’t run this next to your classified information storage)
oh yeah I’m pretty sure the majority of users bought a dedicated machine for Jellyfin
More likely than other services due to HWA.
my impression was that people either just put a graphics card in their server, or run jellyfin from the desktop/laptop
It’s nice to read something sane in these threads.
Fully agreed. There’s some stuff in the list that could leak server info or metadata about available content to the public, but the rest seems to require some knowledge before being able to exploit it, such as user IDs.
That doesn’t mean these aren’t issues, but they’re not “take your jellyfin down now” type issues either.
The last set of comments is from 2024. These have not been addressed. The fact that it is possible to stream without auth is just bonkers.
The entirity of jellyfin security is security via obscurity which is zero security at all.
“As a cybersec researcher”, the limp wristed, hand wavy approach to security should be sending up alarm bells. The fact that it doesn’t, means that likely either, you don’t take your research very seriously, or you aren’t a “cybersecurity researcher”.
“Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they’ve never been fixed. We’d definitely like to but doing so in a non-disruptive way is the hard part.”
Is truly one of the statements of all time.
How is someone meant to guess what seems to be a randomly generated id? If they try to brute force it then you could probably set up something like fail2ban to block them after a few failed attempts.
I’m not saying video ids shouldn’t require authentication, they should but the risk of someone getting the video id seems fairly low.
It isn’t randomly generated. If you read through you would have known that.
Also, Rainbow tables.
tldr, Rainbow tables are precomputed lists of hashed values used to crack password hashes quickly. Instead of hashing each password guess on the fly, attackers use these tables to reverse hashes and find the original passwords faster, especially for weak or common ones. They’re less effective against hashes protected by a unique salt.
If the ID is the MD5 of the path, rainbow tables are completely useless. You don’t have the hash. You need to derive the hash by guessing the path to an existing file, for each file.
How unique do you suppose file system paths are?
How many hashes would one need to gather to quickly determine the root path for all files? Paths are not random so guessing the path is just a rainbow table.
The scanning for known releases becomes trivial once the file system pattern is known.
I’ve not looked but if the video id is based on its path, then surely the path includes the filename no? You can’t split a hash into its separate original parts, you either guess the entire thing or not. So in that case, the hash is going to challenging to brute force.
It’s not that challenging if you are looking for specific media files, but if you wanted to enumerate the files on a server it’s basically impossible.
If the server is using a standard path prefix and a standard file layout and is using standard file names it isn’t that difficult to find the location of a media file and then from there it would be easier to find bore files, assuming the paths are consistent.
But even for low entropy strings, long strings are difficult to brute force, and rainbow tables are useless for this use case.
You can’t say that a solution is no security at all when it requires time and intelligence to bypass.
It is at least 0.01 security.
Effort or no, if an attacker can reasonably bypass it, it’s not secure. That’s why software gets security patches all the time, why encryption/hashing algorithms can fall out of favor, and why quantum computing can be pretty fucking scary.
No system is secure.
#confidentlyincorrect
The votes are not on your side
I didn’t say it’s secure, I just said it’s security.
You’re hiding behind literal definitions to avoid addressing the functional issue/implications.
This is like when somebody says “no one believes that“ and the other person finds a tweet by one person that believes the thing. The claim isn’t that literally not one person does, it’s that it’s so unusual you may as well act as if nobody does.
Surely you understand how people talk and basic vernacular?
Surely you understand how a stupid response to a silly statement like it is one of the sayings of all time can be appropriate in humorous situations, right?
I understand that you did not find it funny, but I hope that you can understand that it was my intention to be funny, and therefore a serious response is disproportionate.
I thought you were being serious as well. I’ve dealt with enough people who would genuinely make that argument so I assume nothing.
The humorous intent was not obvious.
How about 0.001 security?
So I have a NAS running Ubuntu I only keep my movies, my Jellyfin, and torrent software on in an isolated VLAN I stream from. I would think this would make any security issue with Jellyfin a dead end. I stream all content from Jellyfin domain I made and never use it locally. I stream off it at home from my VPN. This seems a safe way to stream where it can be used away from home unless I am missing something? Pointing out any holes in my logic is appreciated.
Use a VPN
@Scary_le_Poo I wouldn’t say never, but in most cases, you’re best served by sticking it behind wireguard- but this is also true of any service or tool you don’t intend to make available to the greater internet
Who has the technical wherewithal to run Jellyfin but leaves access on the open web? I get that sharing is part of the point, but no one’s putting their media collection on an open FTP server.
The level of convenience people expect without consequences is astounding. Going to be away for home for a few days? Load stuff onto an external SSD or SD card. Phoning home remotely makes no sense.
The typical guides for installing Jellyfin and friends, stop at the point where you can access the service, expecting you to secure it further.
Turns out, the default configuration for many (most) routers, is to allow external access to anything a local service will request it to allow, expecting you to secure it further.
Leaving it like that, is an explosive combo, which many users never intended to set up, but have nonetheless.
I get that sharing is part of the point, but no one’s putting their media collection on an open FTP server.
You would be very wrong about that. You can even search open FTP servers using Google
OK. I’ll revise. No one with any sense is doing this. “Hi, RIAA and MPAA, come after me” is an asinine approach. I realize we have at least one generation unfamiliar with Napster, KaZaa and LimeWire, which replaced ratio FTP servers (which in turn replaced F-Servs in IRC). This is terrible online hygiene. You don’t leave your media out there for all to see. At least password protect access before linking to your friends.
Look at the rest of this thread though… many people are just fine with “this is FUD, I’m going to keep doing it!”
Still, posts like this raise awareness of the problem.
Friends, family using Jellyfin is the reason many have it directly available (and not behind VPN for example).
I know people are going to crucify me for this but just fucking use Plex at that point
thanks but no. I like my privacy more
And I like that my wife and kids can jump on and access my server whenever they want from any device without fuss. Everyone has their priorities! I take my privacy pretty seriously but I can’t make it the number one consideration at the cost of everything else all the time. Plus, Jellyfin is a security risk if you don’t know what you’re doing. I’m pretty tech savvy but it definitely pushes my limits so I do not feel comfortable setting it up and constantly maintaining it.
I’m not exposing jellyfin, but for sure I wouldn’t let my plex server even see the internet (I bet iy wouldn’t even work that way).
jellyfin is perfectly accessible everywhere it needs to be. been using a VPN on my phone for ages for all traffic.
They jacked their prices, or are about to anyway. If you don’t have a lifetime Plex pass then Plex might not be a viable option. My seedbox provider has been pushing people to Jellyfin for anyone without a Plex pass.
“Jacked their prices” is a tad dramatic and if you use Plex regularly you’d be foolish not to just buy the lifetime subscription when they put it on sale for like $80 every year. The price change this year was modest except for lifetime which went from $125-$250 with a heads up meaning you could’ve still gotten it at $125 before the change.
Do you know the details of the price change?
I thought I had a lifetime Plex pass, but turns out I was on yearly and the price went up $20/year, so I bought lifetime before the price went up. My whole family uses Plex, I couldn’t handle setting up Jellyfin for everyone and their devices.
Yeah if I was just serving myself I would’ve probably stuck with Jellyfin, but my wife and kids also use my server. Because of it we pay exactly $0 a month in subscriptions. Plex lifetime pass was a very easy decision to make.
If they do a complete heel turn tomorrow and fuck us all, I could simply shut it down. The money I’ve saved so far has been worth it.
Doesn’t have a sync play feature like Jellyfin does
I understand why you might find that useful but I do not think that is exactly the most important feature in the world to most people. I could also rattle off plenty of things Plex can do that Jellyfin can’t. I have used both and the fact of the matter is just am willing to take the trade offs for the simplicity of Plex. You do you!
My Jellyfin server is behind Cloudflare with IP outside of my country banned.
I got Crowdsec set up on Cloudflare, Traefik and Debian directly.
I got Jellyfin up in a docker container behind Traefik, my router opens only 80 and 443 ports and direct them to Traefik.
Jellyfin has only access to my media files which are just downloaded movies and shows hardlinked by Sonarr/Radarr from my download folder.
It is publicly exposed to be able to watch it from anywhere, and share it to family and friends.
So what? They might access the movies, even delete them, I don’t care, I’ll just hardlink them back or re-download them. What harm can they do that would justify locking everything down?
So what? They might access the movies, even delete them, I don’t care, I’ll just hardlink them back or re-download them. What harm can they do that would justify locking everything down?
Well… if “they” happen to be the rights holders or lawyers of the rights holders and they happen to enumerate their content on your system because they can guess common linux paths and likely names that their movie/show/music would appear as in your system, you’re going to care real quick when the lawsuit comes.
Where I live, I have the legal right to have a copy of a film of which I have a legal version, they can watch my media library as much as they want, it’s not enough to prove that it’s illegal.
And hacking my server is illegal, they can’t go to court by presenting evidence obtained through hacking, they would risk much more than me.
Keeping that copy on a web accessible platform that is accessible by anyone on the internet(unauthenticated) isn’t covered by your rights at a bare minimum.
Depending on the content “timing” if they trigger on something that doesn’t have a physical/consumer release yet… or all sorts of other “impossible” conditions. This is obviously reliant on what content you actually have on your server.
It’s still something regardless that it’s best not to invite.
Keeping that copy on a web accessible platform that is accessible by anyone on the internet(unauthenticated) isn’t covered by your rights at a bare minimum.
It’s as accessible as my DVD collection in my living room: anyone can get into my home without a key by illegally breaking a window.
Using a flaw in my Jellyfin to access my content is illegal and can’t be used against me to sue me, period. The idea of rights holders who would hack me to sue me is just plain ridiculous.
Depending on the content “timing” if they trigger on something that doesn’t have a physical/consumer release yet… or all sorts of other “impossible” conditions. This is obviously reliant on what content you actually have on your server.
And again, the only proof they would have could not be used in courts.
For real, you’re just fear-mongering at this point.
I was sincerely hoping someone would bring some real concerns, like how one of these security breaches listed in the OP could allow privilege escalation or something, but if all you got is “Universal might hire hackers to break through your server and sue you”, you’re comforting me in my idea that I don’t have much to fear
deleted by creator
There is no authentication occurring. There is no “hacking” here. Nothing about scanners or bots scraping unauthenticated endpoints is illegal. This would be admissable.
Using a flaw in a software to retrieve data you should not have access to is illegal where I live, the same way as you’re not suddenly allowed to enter my house and fetch my drawers just because I left a window open. I won’t debate this point further.
So what’s the alternative? VPNs are unreliable
Unreliable how?
Possibly some ISP interference with the OpenVPN protocol. Apparently that can happen sometimes
You can always funnel all your VPN traffic through a more typical port, like 80, and there’s very little anyone can do to distinguish between your traffic and typical web traffic.
If your ISP causes issues with inbound traffic to your home network, just add another link to the chain to include a cloud-hosted server, or host it all entirely in the cloud (if you find a trustworthy one with a reasonable cost).
wireguard has been going fine here for 5+ years. only problems were when that garbage raspberry crashed as it always does (but that’s an issue with the hardware) and when the IP changes, but that’s mitigated by dynamic DNS
I think you can IP whitelist who can access it no? That should solve any problems
There is zero (0) chance of an attacker to know and then spoof address of your friend unless you have even bigger problems. Good filter should simply not respond to any packets making very existence of exploitable site undetectable.
Wrong use case, the expected one is friends and family watching stuff on your Jellyfin server from different homes, potentially through mobile, all with dynamic IPs
Perfect use for allowlisting based on dynamic DNS hostnames.
is that a feature in Jellyfin? and since when do all ISP subscribers have names in DNS?
You would set up the allowlist in your firewall. There are plenty of free options for dynamic DNS though not from any ISPs that I’m aware of.
oh, in your firewall. I think I can count the percents on one hand about how much of jellyfin users run a firewall applience besides it
deleted by creator
Does your friend have a static IP? Unlikely considering that you have to pay extra for a static IP.
We are lucky, we get two free. Technically they aren’t true static, its tied to MAC of your modem, or your router(s) – with ISP modem in bridge mode. You can pay for true static, but I have probably had the same IP for 5 years, and same with the modem/routerbeforre this one.
@Emmie @Scary_le_Poo That depends on the ISP, there’s still some out there that will give you one for free.
