Following months of testing, Plex has started to roll out its redesigned mobile app to Android and iOS devices, and it will arrive to everyone within the next week. The new app comes with an updated navigation system that should make it easier to access different parts of the app and find content to watch, along with a dedicated tab for centralized media libraries.

It also has a button in the top-right corner of the screen for your Watchlist and more artwork across detail pages for shows and movies, as well as cast and crew profiles. In a post on the Plex forum, the company outlines a ton of improvements it has made to the app since the preview, including faster load times and scrolling, the addition of a sleep timer, and picture-in-picture support.

    • Saik0@lemmy.saik0.com
      link
      fedilink
      English
      arrow-up
      13
      ·
      7 months ago

      In some ways it is… In others it’s definitely not.

      My biggest problem is that I can’t expose it on a domain for my family to get to. They don’t know how to VPN and to educate them would be exhausting.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          22
          ·
          edit-2
          7 months ago

          Because a reverse proxy doesn’t resolve any of these major issues.

          https://github.com/jellyfin/jellyfin/issues/5415

          Your content can be probed, identified, and streamed all without auth. Your users can be enumerated in certain cases.

          Edit: If you host legit content, like family videos… All of that can be leaked. If you don’t host legit content… and the public site gets probed and they identify the illegal content… expect to be named in a very large lawsuit… either situation is bad.

          Edit2: and hosting it behind a proxy that does it’s own auth would break ALL app-based jellyfin clients.

          • shnizmuffin@lemmy.inbutts.lol
            link
            fedilink
            English
            arrow-up
            7
            ·
            7 months ago

            @joshuaboniface on Mar 8, 2021

            Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they’ve never been fixed. We’d definitely like to but doing so in a non-disruptive way is the hard part.

            Holy fuck what a reply.

            • Saik0@lemmy.saik0.com
              link
              fedilink
              English
              arrow-up
              4
              ·
              7 months ago

              Yeah… ignoring potentially leaking peoples private videos for the sake of “backwards compatibility” is wild. No… When you find a critical flaw like that, you should be breaking compatibility purposefully in order to make people update to tooling/programs that support the new more secure functionality.

            • Saik0@lemmy.saik0.com
              link
              fedilink
              English
              arrow-up
              10
              ·
              7 months ago

              Would seem so. The project is open source, and nobody is getting paid. So the lack of update makes sense to some extent.

              As cool as it is… and as much as I want to make plex shove it completely. Jellyfin just isn’t ready for prime-time.

              I run both… Jellyfin isn’t allowed to talk outside of my network at all, and I can access it over my personal VPN… But Plex is where all my users are because anything else would just be too annoying to maintain.

              • MaggiWuerze@feddit.org
                link
                fedilink
                arrow-up
                2
                ·
                edit-2
                7 months ago

                Holy shit. Thanks. I actually had it exposed as I wanted some of my Plex users to basically beta test my Hardware acceleration config on Jellyfin (another reason why I won’t switch anytime soon) but I just shut that thing down and won’t touch it until I absolutely have to

          • Domi@lemmy.secnd.me
            link
            fedilink
            arrow-up
            4
            ·
            7 months ago

            You are reading too much into the issue linked.

            In order to actually abuse any of the unsecured endpoints, you need to have knowledge of the domain, the media/user/stream IDs and media paths. You don’t get those unless you have a user on the Jellyfin instance and brute forcing them is not practical. If you trust the users you add to your Jellyfin instance, there is not much risk in exposing it to the internet.

            Those issues definitely need to be addressed at some point, but it doesn’t make Jellyfin exposed on the internet open to anyone.

            • Saik0@lemmy.saik0.com
              link
              fedilink
              English
              arrow-up
              8
              ·
              edit-2
              7 months ago

              No… and you’re trusting this WAY too much. This is exactly why it’s dangerous.

              You don’t need any knowledge of the domain. Tools like shodan will categorically identify EVERY jellyfin instance that scanners will run into.

              the media/user/stream IDs and media paths.

              No. Read the whole thread. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658

              If your path is similar to my path, which due to the nature of the software we ALL have similar paths. You can absolutely bruteforce the CALCULATED AND NOT RANDOM MD5 hash of the folder names that bigbucksbunny lives in. All it takes is for one angsty company to rainbow table variants of their movies name to screw you completely over. This is “security through obscurity”. This isn’t safe AT ALL.

              Edit: Just to clarify you would have to ADD your own GUID style information to the folder path in order to make it so a generic precompiled rainbow table for common paths to not work. Eg, /mnt/53ec1945-55dd-4b73-8e03-9e465d5739c3/movies/bigbucksbunny

              common paths/names can be setup based on the defaults for programs like the *arrs with minor linux-minded variants and I bet it would hit a good chunk of users who run jellyfin.

              • Domi@lemmy.secnd.me
                link
                fedilink
                arrow-up
                2
                ·
                7 months ago

                and you’re trusting this WAY too much.

                I don’t need to trust because I know how it works: https://github.com/jellyfin/jellyfin/blob/767ee2b5c41ddcceba869981b34d3f59d684bc00/Emby.Server.Implementations/Library/LibraryManager.cs#L538

                Tools like shodan will categorically identify EVERY jellyfin instance that scanners will run into.

                They can’t. Without the domain, the reverse proxy will return the default page.

                No. Read the whole thread.

                I did.

                If your path is similar to my path

                It does not need to be similar, it needs to be identical.

                • There are 2 popular Docker images, both store the media in different paths by default
                • You do not have to follow the default path
                • The server does not even have to run in Docker
                • The sub path is entirely defined by the user
                • You do not know the naming scheme for the content

                There are 1000s of variations you have to check for every single file name, with 0 feedback until you get a hit. After you have gone through all that trouble, you can now confirm that the file exists and do great things like retrieve the cover art or the subtitles. None of which is incriminating or useful.

                All it takes is for one angsty company to rainbow table variants of their movies name to screw you completely over.

                My threat model does not include “angsty company worried about copyright infringement on private Jellyfin servers”.

                Why bother scanning the entire internet for public Jellyfin instances when you can just subpoena Plex into telling you who has illegal content stored?

                • Saik0@lemmy.saik0.com
                  link
                  fedilink
                  English
                  arrow-up
                  4
                  ·
                  7 months ago

                  I don’t need to trust because I know how it works: https://github.com/jellyfin/jellyfin/blob/767ee2b5c41ddcceba869981b34d3f59d684bc00/Emby.Server.Implementations/Library/LibraryManager.cs#L538

                  Yes… exactly how I said it works. Notice the return.

                  return key.GetMD5();

                  It’s a hash, not a proper randomized GUID. But thanks for backing me up I guess? I wasn’t interested in posting the actual code for it because I assumed it wouldn’t be worth a damn to most people who would read this. But here we are.

                  They can’t. Without the domain, the reverse proxy will return the default page.

                  You are wrong, but at this point I’d have to educate you on a lot of stuff that I don’t have the time or care to educate you on. The tools are out there and it’s beside the point at all, proper auth fixes all the concerns. If it’s publicly accessible you have to assume that someone will target you. It’s pitifully simple for someone to setup a tool to scan ranges and find stuff(especially with SSL registrations being public in general, if I asked any database for all domains issued that start with “jf” or “jellyfin” or other common terms, I’d likely find thousands instantly). Shodan can and does also do domain stuff.

                  There are 2 popular Docker images, both store the media in different paths by default

                  So they’d only have to have 2 hashes for a file to hit the VAST MAJORITY OF PEOPLE WHO USE THE DOCKER. What an overwhelming hurdle to jump…

                  You do not have to follow the default path

                  Correct, but how many people actually deviate? Forget that most people will map INTO the container and thus conform to the mapping that the containers want to use. This standardizes what would have been a more unique path INTO a known path. This actually makes the problem so much worse.

                  The server does not even have to run in Docker

                  And? Many people are simply going to mount as /mnt/movies or other common paths. Pre-compiling md5 hashes with hundreds of thousands of likely paths that can be tested within an hour is literally nothing.

                  You do not know the naming scheme for the content

                  Sure, but most people follow defaults in their *arr suite… Once again… the up-front “cost” of precompiling a rainbow table is literally nothing.

                  It does not need to be similar, it needs to be identical.

                  Correct but the point that I made is that they would simply pre-build a rainbow table. The point would be that they would take similar paths and pre-md5 hash them. Those paths would be similar. Not the literal specific MD5 hash.

                  There are 1000s of variations you have to check for every single file name

                  Which is pitifully easy if you precompile a rainbow table of hashes for the files for in the name formats and file structures that are relatively common on plex/jellyfin setups… especially to mirror common naming formats and structures that are used in the *arr setups. you can likely check 1000 urls in the matter of a couple of seconds… Why wouldn’t they do this? (the only valid answer is that they haven’t started doing it… but could at any time).

                  My threat model does not include “angsty company worried about copyright infringement on private Jellyfin servers”.

                  Yes… let’s ignore the companies that have BOATLOADS of money and have done shit like actively attack torrents and trackers to find thousands of offenders and tied them up legally for decades. Yes, let’s ignore that risk all together! What a sane response! This only makes sense if you live somewhere that doesn’t have any reach from those companies… Even then, if you’re recommending Jellyfin to other people without knowing that they’re in the same situation as you. You’re not helping.

                  Why bother scanning the entire internet for public Jellyfin instances when you can just subpoena Plex into telling you who has illegal content stored?

                  I thought you knew your threat model? Plex doesn’t hold a list of content on your servers. The most Plex can return is whatever metadata you request… Except that risk now is null because Plex returns that metadata for any show on their streaming platform or for searches on items that are on other platforms since that function to “show what’s hot on my streaming platforms” (stupid fucking feature… aside) exists. So that meta-data means nothing as it’s used for a bunch of reasons that would be completely legitimate. The risk becomes that they could add code that does record a list of content in the future… Which is SUBSTANTIALLY LESS OF A RISK THAN COMPLETE READ ACCESS TO FILES WITHOUT AUTH but only if you guess the magic incantations that are likely the same as thousand of others magic incantations! Like I said though several times. I’d LOVE to drop plex, BECAUSE that risk exists from them. But Jellyfin is simply worse.

                  You seem wildly uneducated on matters of security. I guess I know now why so many people just install Jellyfin and ignore the actual risks. The funny part is that rather than advocating for fixing it, so that it’s not a problem at all… you’re waiving it all away like it could never be a problem for anyone anywhere at anytime. That’s fucking wildly asinine when proof of concept of the attack was published on a thread 4 years ago, and is still active today. It’s a very REAL risk. Don’t expose your instance publicly. Proxied or not. You’re asking for problems.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          4
          ·
          7 months ago

          Cool… point me to the LG TV tailscale app… or the roku tailscale app…

          SDNs in general are no different. App support is limited, specifically on devices that people are most likely to want to watch media content on.

          And to say that tailscale is “that’s it” is a bit disingenuous. On my setup (LXC containers) I couldn’t add tailscale even if I wanted without faffing with interface stuff.

        • Saik0@lemmy.saik0.com
          link
          fedilink
          English
          arrow-up
          1
          ·
          7 months ago

          If it’s a private VPN, you should be fine. If it’s publicly accessible the jellyfin access through a vpn itself doesn’t matter. They can just subpoena a request to your domain registrar to get your information since the IP won’t yield anything useful for them.