Following months of testing, Plex has started to roll out its redesigned mobile app to Android and iOS devices, and it will arrive to everyone within the next week. The new app comes with an updated navigation system that should make it easier to access different parts of the app and find content to watch, along with a dedicated tab for centralized media libraries.
It also has a button in the top-right corner of the screen for your Watchlist and more artwork across detail pages for shows and movies, as well as cast and crew profiles. In a post on the Plex forum, the company outlines a ton of improvements it has made to the app since the preview, including faster load times and scrolling, the addition of a sleep timer, and picture-in-picture support.
You must log in or register to comment.
I’ve also rolled out my big upgrade: Jellyfin
Jellyfin also just rolled out an update, where’s that post?
You know you can just… post about it yourself, right?
I’d imagine you need a bit of know-how to make good posts.
No I don’t know how
And Jellyfin is better and free. I don’t trust Plex with my content and I don’t want their added streaming bloatware.
In some ways it is… In others it’s definitely not.
My biggest problem is that I can’t expose it on a domain for my family to get to. They don’t know how to VPN and to educate them would be exhausting.
So I have a NAS running Ubuntu I only keep my movies, my Jellyfin, and torrent software on in an isolated VLAN I stream from. I would think this would make any security issue with Jellyfin a dead end. I stream all content from Jellyfin domain I made and never use it locally. I stream off it at home from my VPN. This seems a safe way to stream where it can be used away from home unless I am missing something? Pointing out any holes in my logic is appreciated.
Because a reverse proxy doesn’t resolve any of these major issues.
https://github.com/jellyfin/jellyfin/issues/5415
Your content can be probed, identified, and streamed all without auth. Your users can be enumerated in certain cases.
Edit: If you host legit content, like family videos… All of that can be leaked. If you don’t host legit content… and the public site gets probed and they identify the illegal content… expect to be named in a very large lawsuit… either situation is bad.
Edit2: and hosting it behind a proxy that does it’s own auth would break ALL app-based jellyfin clients.
@joshuaboniface on Mar 8, 2021
Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they’ve never been fixed. We’d definitely like to but doing so in a non-disruptive way is the hard part.
Holy fuck what a reply.
Yeah… ignoring potentially leaking peoples private videos for the sake of “backwards compatibility” is wild. No… When you find a critical flaw like that, you should be breaking compatibility purposefully in order to make people update to tooling/programs that support the new more secure functionality.
Oh wow. That is… Bad. And the issue has gone unaddressed for 4 years now?
Would seem so. The project is open source, and nobody is getting paid. So the lack of update makes sense to some extent.
As cool as it is… and as much as I want to make plex shove it completely. Jellyfin just isn’t ready for prime-time.
I run both… Jellyfin isn’t allowed to talk outside of my network at all, and I can access it over my personal VPN… But Plex is where all my users are because anything else would just be too annoying to maintain.
Holy shit. Thanks. I actually had it exposed as I wanted some of my Plex users to basically veta test my Hardware acceleration config on Jellyfin (another reason why I won’t switch anytime soon) but I just shut that thing down and won’t touch it until I absolutely have to
You are reading too much into the issue linked.
In order to actually abuse any of the unsecured endpoints, you need to have knowledge of the domain, the media/user/stream IDs and media paths. You don’t get those unless you have a user on the Jellyfin instance and brute forcing them is not practical. If you trust the users you add to your Jellyfin instance, there is not much risk in exposing it to the internet.
Those issues definitely need to be addressed at some point, but it doesn’t make Jellyfin exposed on the internet open to anyone.
No… and you’re trusting this WAY too much. This is exactly why it’s dangerous.
You don’t need any knowledge of the domain. Tools like shodan will categorically identify EVERY jellyfin instance that scanners will run into.
the media/user/stream IDs and media paths.
No. Read the whole thread. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658
If your path is similar to my path, which due to the nature of the software we ALL have similar paths. You can absolutely bruteforce the CALCULATED AND NOT RANDOM MD5 hash of the folder names that bigbucksbunny lives in. All it takes is for one angsty company to rainbow table variants of their movies name to screw you completely over. This is “security through obscurity”. This isn’t safe AT ALL.
Edit: Just to clarify you would have to ADD your own GUID style information to the folder path in order to make it so a generic precompiled rainbow table for common paths to not work. Eg, /mnt/53ec1945-55dd-4b73-8e03-9e465d5739c3/movies/bigbucksbunny
common paths/names can be setup based on the defaults for programs like the *arrs with minor linux-minded variants and I bet it would hit a good chunk of users who run jellyfin.
It’s simple, Plex is owned by capitalists, their goal is not to provide a service or a product, their goal is to make money. Jellyfin is currently the best as far as I know for doing the only thing anyone ever wanted Plex to do.
Why does plex need all of this shit? I literally only wanted to use it to stream my local stuff. Now that’s just a tiny part of the app.
I say now, but I don’t think I’ve used it at all in the past couple of years.
Enshittening
I already switched to jellyfin after the last monthly cost for stream online.
This update is so good that I switched my server to jellyfin. I didn’t like it last time I used it, but it seems that they made a lot of improvements and now the app is kinda fire
I hate this update
- no manual PiP which existed in the previous version. The auto PiP works sometimes
- multiple freezes, seemingly random
- phone gets way hotter and drains battery faster
- looks like yet another generic streaming app “experience”
If only Jellyfin onboarding was as easy for friends and family…
If only Jellyfin onboarding was as easy for friends and family…
What makes it harder is that you can’t just expose it to the internet… https://github.com/jellyfin/jellyfin/issues/5415
In order to use Jellyfin you now have to get all your users onto a vpn or some other tunneling service. It’s crazy.
I have both installed… I want to deprecate Plex SO FUKCING BAD. But Jellyfin just isn’t good enough.
If the fact that a 128-bit value when sent to your server can retrieve a single piece of media or user info then I have real bad news about what you can do with a typically much shorter password.
Is it ideal that you can retrieve streams or user info from Jellyfin if you know the ID of the entity you’re looking for? No, obviously not. But you need to authenticate to get those IDs in the first place, and there are fewer bits of entropy in most people’s passwords than there are in UUIDs.
Being able to get streams unauthenticated by guessing the correct UUID is arguably still better security than using passwords without 2FA.
are in UUIDs.
It’s not a UUID. Those tokens are MD5 hashes of values that can be pregenerated (rainbow tabled) or guessed. It’s not random. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658
Edit: and UUID in the URL still means capture-able by google search and other issues/crawlers. But somehow security through obscurity is “secure” to you. Y’all are crazy.
My mistake then, it’s more vulnerable then I initially thought. I also don’t think it’s secure even if that weren’t true, just that it’s not worse than single factor passwords (which you also shouldn’t use of security is a concern).
Thanks for admitting it. A few people simultaneously responded attacking my warning. So rereading my response to you, I recognize I was a bit more snarky than was warranted, and I apologize for that.
But yeah, 2fa (Even simple TOTP) baked in would go a long way too on the user front too.
It’s clear that Sony could just generate a rainbow table of hashes in MD5 with common naming conventions and folder conventions, make a list of 100k paths to check or what have you for their top 1000 movies… and then shodan(or similar tool) to finding JF instances, and then check the full table in a few hours… rinse repeat on the next server. While that alone shouldn’t be enough to prove anything, the onus at that point becomes your problem as you now have to prove that you have a valid license for all the content that they matched, they’ve already got the evidence that you have the actual content on your server, and you having your instance public and linkable could be (I’m not a lawyer) sufficient to claim you’re distributing. Like I can script this attack myself in a few hours (Would need a few days to generate a full rainbow table)… Put this in front of a legal team of one of the big companies? They’ll champ at the bit to make it happen, just like they did for torrents… especially when there’s no defense of printers being on the torrent network since it’s directly on your server that exists on your IP/domain.
Wow, this can only be a disaster. People on the Plex experience preview forum are pissed. The android build hasn’t been updated in a month, I didn’t think it would be rolled out for another 3-6 months.
So many features are missing, the only way to remove Plex rentals/free is by going into your account settings, performance is shit even just scrolling your media.
I haven’t looked at the beta client in a while and was wondering how they could’ve gotten it ready this fast. Guess I’ll pin my app version real quick.
Damn it, I don’t want to switch to Jellyfin
Wonder how many things they shit up
I was surprised to find that an old Plex feature, controlling any one player from any other instance, such as playing on a laptop and controlling with a cell phone, no longer worked. My wife and I used that a lot when traveling, as plugging a laptop into a hotel TV with an HDMI cable is generally far more bullet proof than any streaming stick
Course sometimes we’d stay in an Airbnb, and they’d have a Roku or Apple TV, where we’d just sign into a Plex app and use it there. But that’s beyond the point
How do people feel about Emby as an alternative?
The full feature is paid. Not saying that thats not fair, but jellyfin is completely free
