Following months of testing, Plex has started to roll out its redesigned mobile app to Android and iOS devices, and it will arrive to everyone within the next week. The new app comes with an updated navigation system that should make it easier to access different parts of the app and find content to watch, along with a dedicated tab for centralized media libraries.
It also has a button in the top-right corner of the screen for your Watchlist and more artwork across detail pages for shows and movies, as well as cast and crew profiles. In a post on the Plex forum, the company outlines a ton of improvements it has made to the app since the preview, including faster load times and scrolling, the addition of a sleep timer, and picture-in-picture support.


It’s not a UUID. Those tokens are MD5 hashes of values that can be pregenerated (rainbow tabled) or guessed. It’s not random. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658
Edit: and UUID in the URL still means capture-able by google search and other issues/crawlers. But somehow security through obscurity is “secure” to you. Y’all are crazy.
My mistake then, it’s more vulnerable then I initially thought. I also don’t think it’s secure even if that weren’t true, just that it’s not worse than single factor passwords (which you also shouldn’t use of security is a concern).
Thanks for admitting it. A few people simultaneously responded attacking my warning. So rereading my response to you, I recognize I was a bit more snarky than was warranted, and I apologize for that.
But yeah, 2fa (Even simple TOTP) baked in would go a long way too on the user front too.
It’s clear that Sony could just generate a rainbow table of hashes in MD5 with common naming conventions and folder conventions, make a list of 100k paths to check or what have you for their top 1000 movies… and then shodan(or similar tool) to finding JF instances, and then check the full table in a few hours… rinse repeat on the next server. While that alone shouldn’t be enough to prove anything, the onus at that point becomes your problem as you now have to prove that you have a valid license for all the content that they matched, they’ve already got the evidence that you have the actual content on your server, and you having your instance public and linkable could be (I’m not a lawyer) sufficient to claim you’re distributing. Like I can script this attack myself in a few hours (Would need a few days to generate a full rainbow table)… Put this in front of a legal team of one of the big companies? They’ll champ at the bit to make it happen, just like they did for torrents… especially when there’s no defense of printers being on the torrent network since it’s directly on your server that exists on your IP/domain.