• Darkassassin07@lemmy.caEnglish
    258·
    9 hours ago

    Without authentication; it’s possible to randomly generate UUIDs and use them to retrieve media from a jellyfin server. That’s about the only actually concerning issue on that list, and it’s incredibly minor IMO.

    With authentication, users (ie, the people you have trusted to access your server) can potentially attack each other, by changing each others settings and viewing each other’s watch history/favorites/etc.

    That’s it. These issues aren’t even worth talking about for 99.9% of jellyfin users.

    Should they be fixed? Sure, eventually. But these issues aren’t cause to yell about how insecure jellyfin is in every single conversation, and to go trying to scare everyone off of hosting it publicly. Stop spreading FUD.

    • Saik0@lemmy.saik0.comEnglish
      128·
      9 hours ago

      <admits there are problems>

      <Stop spreading FUD>

      It’s not FUD if it’s real. I could say the same shit for people screaming Jellyfin at literally every chance they get when the topic is Plex. Instead I further the discussion rather than telling other people they’re spreading FUD.

      it’s possible to randomly generate UUIDs

      It’s an MD5 hash of the file path. Not randomly generated, and not a proper UUID.

      Edit: for others that might not understand… Docker files will standardized the path side… *arr suites and general human nature will standardize the file name.

      So a generally guessable file path exists for a LOT of users out there… It’s absolutely possible to guess that many people running jellyfin would store their version of bigbucksbunny as /movies/bigbuckbunny (2008)/bigbuckbunny.mkv or similar conventions and I’ve probably already nailed the path to generate the MD5 for a lot of people running Jellyfin just now.