230
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 02 Apr 2025
230 points (100.0% liked)
Technology
38453 readers
642 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 3 years ago
MODERATORS
The last set of comments is from 2024. These have not been addressed. The fact that it is possible to stream without auth is just bonkers.
The entirity of jellyfin security is security via obscurity which is zero security at all.
"As a cybersec researcher", the limp wristed, hand wavy approach to security should be sending up alarm bells. The fact that it doesn't, means that likely either, you don't take your research very seriously, or you aren't a "cybersecurity researcher".
"Thank you for this list. We are aware of quite a few, but for reasons of backwards compatibility they've never been fixed. We'd definitely like to but doing so in a non-disruptive way is the hard part."
Is truly one of the statements of all time.
You can't say that a solution is no security at all when it requires time and intelligence to bypass.
It is at least 0.01 security.
Effort or no, if an attacker can reasonably bypass it, it's not secure. That's why software gets security patches all the time, why encryption/hashing algorithms can fall out of favor, and why quantum computing can be pretty fucking scary.
No system is secure.
#confidentlyincorrect
The votes are not on your side
I didn't say it's secure, I just said it's security.
You’re hiding behind literal definitions to avoid addressing the functional issue/implications.
This is like when somebody says “no one believes that“ and the other person finds a tweet by one person that believes the thing. The claim isn’t that literally not one person does, it’s that it’s so unusual you may as well act as if nobody does.
Surely you understand how people talk and basic vernacular?
Surely you understand how a stupid response to a silly statement like it is one of the sayings of all time can be appropriate in humorous situations, right?
I understand that you did not find it funny, but I hope that you can understand that it was my intention to be funny, and therefore a serious response is disproportionate.
I thought you were being serious as well. I've dealt with enough people who would genuinely make that argument so I assume nothing.
The humorous intent was not obvious.
It definitely was lol
👍
When "hundredths fractions of security" fails to get a laugh, I know I'm in the wrong group of people.
Kinda was. Sry.
oh well if you’re saying so then it must be true.
No, in this case it's true independent of my opinion or perspective.
I’d love to see your homework on that. Must be really interesting data points here. I’d love the ability to prove my opinions and ramblings on the Internet are “objectively true.”
All this BS aside I was clearly wrong because they said so. It was a mistake. You’re going to survive.
I'm sorry if I made you upset. Honestly.
Ofc I have no work regarding that because I was shitposting. I was hoping you'd take things a bit more lightly.
Personally, I'm a bit within the autism spectrum. When I was a kid I had a lot of trouble with some social hints that other people seemed to pick up really fast. With time some of those things I've learnt to pick up better, and others not so much. Also got bullied and that wasn't fun.
My impression of this situation is that you misread a social hint, which is fine, and then got a little bit defensive about it, which is also fine. I can understand that. Has happened to me a billion times and I'm not as graceful as you are.
It's just like.. For me it was better to, at some point, stop resisting the pain of accepting I didn't read these things as well as others did and just admitting "sorry, sometimes i don't get when ppl are joking" because it reminded me of being in the spectrum and therefore different... For me, this was unthinkable... So I kept insisting on points when many others were telling me, with relative compassion, that I may have made a mistake.
I don't care about the issue we were talking about anymore. Just want you to understand that even if I do believe you made a mistake in reading the situation, It's not what I now consider relevant of this conversation, don't think you were wrong in your perspective regarding security and I'm not laughing at you. I'm not doing anything at your expense. Just sharing a personal difficulty with you for your own possible benefit.
Idk if you can relate, but if you can maybe it could help.
Peace, friend, and have a great week. <3
I’m not upset, you’re just being annoying. And for somebody who says you don’t care or otherwise not invested in all of this, this comment is pretty damn long. So I skipped to the end, have a great rest of your week as well I guess. Assuming you’re actually being sincere.
And before you complain that it’s disrespectful of me to not even read what you wrote or whatever, frankly I found it very disrespectful that you opened up by trying to make me sound emotional and unable to process this rationally and tried to diagnose me (which as someone with autism I’m sure you understand how problematic that is to do to a stranger online after like 2 comments).
A lot of this is simply a really rude Internet argument tactic that I don’t appreciate. I’m calm. I’m being rational. You’re just being rude and again, problematic.
I'm sorry I upset you, but yes, you were coming off a little emotional.
I didn't mean to be rude.
What I shared was a personal story about my life which is painful for me to remember. I don't go around sharing shit stuff with people who want to harm me. I share it with people who i think could benefit from it.
I really hope you have an awesome day cause to me, regardless of anything that's been said, you seem like an awesome person. <3
I’m going to try and take a step back here and really give you a more charitable interpretation.
I am sorry I had such a reaction in some ways. I do not appreciate the implications and accusations you threw my way, but I can believe that they were not meant to be like that and I can get past it. Have a good rest of your week.
You too friend, and sorry for being mean.
No, you misunderstood. I do care, but not about the issue. About you.
I could be wrong about the issue.
How about 0.001 security?
How is someone meant to guess what seems to be a randomly generated id? If they try to brute force it then you could probably set up something like fail2ban to block them after a few failed attempts.
I’m not saying video ids shouldn’t require authentication, they should but the risk of someone getting the video id seems fairly low.
It isn't randomly generated. If you read through you would have known that.
Also, Rainbow tables.
tldr, Rainbow tables are precomputed lists of hashed values used to crack password hashes quickly. Instead of hashing each password guess on the fly, attackers use these tables to reverse hashes and find the original passwords faster, especially for weak or common ones. They're less effective against hashes protected by a unique salt.
If the ID is the MD5 of the path, rainbow tables are completely useless. You don't have the hash. You need to derive the hash by guessing the path to an existing file, for each file.
How unique do you suppose file system paths are?
How many hashes would one need to gather to quickly determine the root path for all files? Paths are not random so guessing the path is just a rainbow table.
The scanning for known releases becomes trivial once the file system pattern is known.
I've not looked but if the video id is based on its path, then surely the path includes the filename no? You can't split a hash into its separate original parts, you either guess the entire thing or not. So in that case, the hash is going to challenging to brute force.
It's not that challenging if you are looking for specific media files, but if you wanted to enumerate the files on a server it's basically impossible.
Well lets say your a big movie studio... In the past 10 years you've released 40-50 movies. You pay some lawfirm to go out and find illegal copies of your movies.
Those 40-50 movies * 1000 or 10000 common paths/names makes you a nice table of likely candidates. Prehash that table in MD5. It doesn't take all that much effort to "enumerate" all the movies that your studio cares about. 50000 http requests is childs play and you can scan a public server within minutes for your list.
Fully bruteforcing the thing... yeah that's ridiculous. But I don't think that people are naming bigbucksbunny.mkv as Rp23GXTHp4GN7P6j86HjRdxtfSKKAArj.mkv. So it's not like we're looking for "random" or "all" files anyway.
I don't think anyone was ever saying that the risk here is full enumeration. Though it is technically possible with sufficient time... just will take a lot of time.
That is possible, but I don't think you need to worry about that. Having a copy of a movie is not normally itself a crime.
Having it publicly accessible on a web server is distribution. And that normally IS a crime unless you have some licenses to do so.
I think in this case whether it's distribution or not would have to go to court. It's not intentended to be distribution. Depending on the judge and the lawyers it could be distribution or not distribution or the prosecution may have committed a crime in finding it.
Sure. Now who here wants to litigate it and find out?
Web scanners/crawlers aren't illegal though. And since it's not authenticated there's no attempt to break any security/authentication/encryption. You don't get in trouble for finding a random URL in a google search and accessing it. You'd get in trouble if you had to bypass some security measure to get there.
The point of this all is that these endpoints have no measure in place. Seemingly on purpose, and it's documented by the maintainers that they don't intend to fix it and leaving it open is intentional.
You can gamble it. I won't. I just can't accept that "Jellyfin is better" that keeps getting pushed when big gaping problematic holes like this exist.
Trying hundreds or thousands of hashes against the servers of random unconsenting people on the internet is beyond what I would be comfortable with. People have been prosecuted for less. It's not the same as a crawler where you try a few well known locations and follow links. You're trying to gain access to a system that somebody did not intend for you to have access to.
These endpoints probably don't have protection because they were never designed to and it's hard to add it later. Theoretically, if the IDs are random that's probably good enough except that you wouldn't be able to revoke access once somebody had it. The IDs probably aren't random because at some point only the path is used. It's how software evolves. It's not on purpose that somebody may be able to guess the ID to gain access to it.
If the server is using a standard path prefix and a standard file layout and is using standard file names it isn't that difficult to find the location of a media file and then from there it would be easier to find bore files, assuming the paths are consistent.
But even for low entropy strings, long strings are difficult to brute force, and rainbow tables are useless for this use case.