Complete access to your media without authentication isn’t “don’t give you any data”.
The media on my server is not what I’d consider private data, it’s just media. If someone wants to spend their time brute forcing randomized UUIDs to have a minuscule chance of viewing some media on my server, then I really couldn’t care less. Especially since they’re gonna get blocked by http probing detection after a few tries.
If someone could the emails and hashed passwords, then I would care about the spam I’d be constantly receiving after and the possibility of my friends and family’s passwords being exposed, as not all of them use secure passwords (despite my best efforts to convince them to change that).
Simply put, if I was using Plex right now, this breach would impact the many family members and friends using my server, something I’d feel guilty about. Meanwhile, with Jellyfin, none of these concerns would have any effect on them.
Edit: You ninja edited your post… bad nettiquette.
I edited it right after posting because I accidentally clicked post. Didn’t think you’d respond that fast.
Meanwhile you’re all frothing at the mouth cause Plex leaked email addresses and encrypted passwords.
This was my only comment in the thread. Kinda feels like your reply here is taking out your frustration with this entire thread on my reply.
put the endpoints behind your own authentication through your reverse proxy.
Breaks every app for jellyfin including tv apps. So no. that’s not a valid answer.
I assumed you were talking about stuff besides media playback. There are other endpoints that can be secure using your reverse proxy without breaking any apps.
Jellyfin just lets everyone in that can guess a filepath
That’s not how the endpoint works. It is a randomized UUID.
Depending on your security posture, this may be an issue for you. It is not for me, and likely is not for many other users. My media is not sensitive information. My email and other identification info is.
Edit: formatting
Fair enough, I was not aware of this, and I wish the developers made this more clear in the issue thread. This does not change my point that my media is not confidential data. I do agree that it should be by default, but a “breach” where someone accesses a piece of media from my server has no tangible impact on me or my server. A breach that includes my email and account information, absolutely does.
I don’t entirely understand what this response has to do with what I said. I’m surprised to hear you say that people praise Jellyfin as being far more secure than Plex, as I have not heard that. Security has nothing to do with why I use Jellyfin over Plex.
I feel it’s overblown either way, as I don’t believe the average user considers their media sensitive enough for it to be an issue. I’m not treating Plex as worse. Again, I’M NOT THE ONE WHO SAID ANY OF THAT. I am simply stating that in this specific instance, this Plex breach has a worse impact than the Jellyfin security concerns you bring up.
My guy, I didn’t start the comment thread, I’m not the one who brought up Jellyfin. I also believe I responded to every point I made, while you ignored many of mine. I don’t know how you can say I’m not reading your comment. You’re being very weirdly hostile when I’m just trying to have a conversation. I don’t have significant stakes in either Plex or Jellyfin. I do prefer one, but I don’t give a shit what others want to use.
Just want to add that I’m not some completely uninformed user. I have a career in cybersecurity, as well as a degree and plenty of certifications. When discussing a vulnerability, we need to consider the actual risk of a vulnerability, using its likelihood of being exploited and its potential impact. The likelihood of someone attempting to brute force media on my Jellyfin is practically nonexistent, as they have essentially nothing to gain. At best, they find an episode of a show or movie that they could find elsewhere. The impact of someone exploiting this vulnerability is also practically nothing. They would get a stream of the video, minutely impacting the performance of my server.
Again, to be clear, I AGREE with sharing this information. People should be aware of this when using Jellyfin. However, it is not an issue for the majority of users. It is also not anywhere near as bad as a breach of actual account information, data that actually is sensitive. I do not agree with framing it to look like using Jellyfin should be considered generally insecure.
Edit: minor phrasing adjustments