Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
Agreed, this is a valid list of minor concerns but this is just a fearmongering post. It’s not good that some metadata can leak but if you take normal precautions (i.e. don’t run this next to your classified information storage) it’s fine to open this so your friends can watch media.
Source: me and my Masters degree in cybersecurity (but apparently OP just learned about Kerckhoff’s principle and rainbow tables in a completely incorrect context so I know how to do my job or smth lmao)
Edit: lol don’t look at OPs post history, now I know where the fearmongering came from
Source: R1 masters professor. Literally the person you would have needed to take the class from on the topic at my institution.
This is a problem simply because most paths and names will be similar due to *arr suites and docker mounts normalizing them to a standard that jellyfin wants to see. In the context of Sony’s top 1000 movies, they can pre-compile the top 100 likely paths for the file (/movies, /mnt/movies, etc) then run the 100000 hash check through scripts against your instance. How long does it take to let a crawler collect http statuses on 100000 page loads? Now put that to a bot that gets jellyfin instances from a tool like shodan and add more hashes. If you flag, now onus is on you to prove you have license for content and they would have a case that you distributing (albeit weak) since your server was open to the public. This is child’s play level abuse-able. Risking that something easy like this isn’t being abused by Sony and others (you know… willing to install a rootkit on your computer types…) is a very silly stance to take.
The hash that’s used to represent the path isn’t salted or otherwise unique.
Edit: mobile typos.
If I have rate limiting set up (through crowdsec) to prevent bots from scanning / crawling my server, should I be as worried?
Probably not. But depending on how it’s configured it could still be a gamble/risk. A rate limiting setup can mitigate it a lot.
oh yeah I’m pretty sure the majority of users bought a dedicated machine for Jellyfin
More likely than other services due to HWA.
It’s nice to read something sane in these threads.