Following months of testing, Plex has started to roll out its redesigned mobile app to Android and iOS devices, and it will arrive to everyone within the next week. The new app comes with an updated navigation system that should make it easier to access different parts of the app and find content to watch, along with a dedicated tab for centralized media libraries.
It also has a button in the top-right corner of the screen for your Watchlist and more artwork across detail pages for shows and movies, as well as cast and crew profiles. In a post on the Plex forum, the company outlines a ton of improvements it has made to the app since the preview, including faster load times and scrolling, the addition of a sleep timer, and picture-in-picture support.
I hate this update
If only Jellyfin onboarding was as easy for friends and family…
What makes it harder is that you can’t just expose it to the internet… https://github.com/jellyfin/jellyfin/issues/5415
In order to use Jellyfin you now have to get all your users onto a vpn or some other tunneling service. It’s crazy.
I have both installed… I want to deprecate Plex SO FUKCING BAD. But Jellyfin just isn’t good enough.
If the fact that a 128-bit value when sent to your server can retrieve a single piece of media or user info then I have real bad news about what you can do with a typically much shorter password.
Is it ideal that you can retrieve streams or user info from Jellyfin if you know the ID of the entity you’re looking for? No, obviously not. But you need to authenticate to get those IDs in the first place, and there are fewer bits of entropy in most people’s passwords than there are in UUIDs.
Being able to get streams unauthenticated by guessing the correct UUID is arguably still better security than using passwords without 2FA.
It’s not a UUID. Those tokens are MD5 hashes of values that can be pregenerated (rainbow tabled) or guessed. It’s not random. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658
Edit: and UUID in the URL still means capture-able by google search and other issues/crawlers. But somehow security through obscurity is “secure” to you. Y’all are crazy.
My mistake then, it’s more vulnerable then I initially thought. I also don’t think it’s secure even if that weren’t true, just that it’s not worse than single factor passwords (which you also shouldn’t use of security is a concern).
Thanks for admitting it. A few people simultaneously responded attacking my warning. So rereading my response to you, I recognize I was a bit more snarky than was warranted, and I apologize for that.
But yeah, 2fa (Even simple TOTP) baked in would go a long way too on the user front too.
It’s clear that Sony could just generate a rainbow table of hashes in MD5 with common naming conventions and folder conventions, make a list of 100k paths to check or what have you for their top 1000 movies… and then shodan(or similar tool) to finding JF instances, and then check the full table in a few hours… rinse repeat on the next server. While that alone shouldn’t be enough to prove anything, the onus at that point becomes your problem as you now have to prove that you have a valid license for all the content that they matched, they’ve already got the evidence that you have the actual content on your server, and you having your instance public and linkable could be (I’m not a lawyer) sufficient to claim you’re distributing. Like I can script this attack myself in a few hours (Would need a few days to generate a full rainbow table)… Put this in front of a legal team of one of the big companies? They’ll champ at the bit to make it happen, just like they did for torrents… especially when there’s no defense of printers being on the torrent network since it’s directly on your server that exists on your IP/domain.