Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
The last set of comments is from 2024. These have not been addressed. The fact that it is possible to stream without auth is just bonkers.
The entirity of jellyfin security is security via obscurity which is zero security at all.
“As a cybersec researcher”, the limp wristed, hand wavy approach to security should be sending up alarm bells. The fact that it doesn’t, means that likely either, you don’t take your research very seriously, or you aren’t a “cybersecurity researcher”.
“Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they’ve never been fixed. We’d definitely like to but doing so in a non-disruptive way is the hard part.”
Is truly one of the statements of all time.
How is someone meant to guess what seems to be a randomly generated id? If they try to brute force it then you could probably set up something like fail2ban to block them after a few failed attempts.
I’m not saying video ids shouldn’t require authentication, they should but the risk of someone getting the video id seems fairly low.
It isn’t randomly generated. If you read through you would have known that.
Also, Rainbow tables.
tldr, Rainbow tables are precomputed lists of hashed values used to crack password hashes quickly. Instead of hashing each password guess on the fly, attackers use these tables to reverse hashes and find the original passwords faster, especially for weak or common ones. They’re less effective against hashes protected by a unique salt.
If the ID is the MD5 of the path, rainbow tables are completely useless. You don’t have the hash. You need to derive the hash by guessing the path to an existing file, for each file.
How unique do you suppose file system paths are?
How many hashes would one need to gather to quickly determine the root path for all files? Paths are not random so guessing the path is just a rainbow table.
The scanning for known releases becomes trivial once the file system pattern is known.
If the server is using a standard path prefix and a standard file layout and is using standard file names it isn’t that difficult to find the location of a media file and then from there it would be easier to find bore files, assuming the paths are consistent.
But even for low entropy strings, long strings are difficult to brute force, and rainbow tables are useless for this use case.
I’ve not looked but if the video id is based on its path, then surely the path includes the filename no? You can’t split a hash into its separate original parts, you either guess the entire thing or not. So in that case, the hash is going to challenging to brute force.
It’s not that challenging if you are looking for specific media files, but if you wanted to enumerate the files on a server it’s basically impossible.
Well lets say your a big movie studio… In the past 10 years you’ve released 40-50 movies. You pay some lawfirm to go out and find illegal copies of your movies.
Those 40-50 movies * 1000 or 10000 common paths/names makes you a nice table of likely candidates. Prehash that table in MD5. It doesn’t take all that much effort to “enumerate” all the movies that your studio cares about. 50000 http requests is childs play and you can scan a public server within minutes for your list.
Fully bruteforcing the thing… yeah that’s ridiculous. But I don’t think that people are naming bigbucksbunny.mkv as Rp23GXTHp4GN7P6j86HjRdxtfSKKAArj.mkv. So it’s not like we’re looking for “random” or “all” files anyway.
I don’t think anyone was ever saying that the risk here is full enumeration. Though it is technically possible with sufficient time… just will take a lot of time.
That is possible, but I don’t think you need to worry about that. Having a copy of a movie is not normally itself a crime.
You can’t say that a solution is no security at all when it requires time and intelligence to bypass.
It is at least 0.01 security.
Effort or no, if an attacker can reasonably bypass it, it’s not secure. That’s why software gets security patches all the time, why encryption/hashing algorithms can fall out of favor, and why quantum computing can be pretty fucking scary.
No system is secure.
#confidentlyincorrect
The votes are not on your side
I didn’t say it’s secure, I just said it’s security.
You’re hiding behind literal definitions to avoid addressing the functional issue/implications.
This is like when somebody says “no one believes that“ and the other person finds a tweet by one person that believes the thing. The claim isn’t that literally not one person does, it’s that it’s so unusual you may as well act as if nobody does.
Surely you understand how people talk and basic vernacular?
Surely you understand how a stupid response to a silly statement like it is one of the sayings of all time can be appropriate in humorous situations, right?
I understand that you did not find it funny, but I hope that you can understand that it was my intention to be funny, and therefore a serious response is disproportionate.
I thought you were being serious as well. I’ve dealt with enough people who would genuinely make that argument so I assume nothing.
The humorous intent was not obvious.
Kinda was. Sry.
oh well if you’re saying so then it must be true.
It definitely was lol
👍
When “hundredths fractions of security” fails to get a laugh, I know I’m in the wrong group of people.
How about 0.001 security?