I enjoy using Jellyfin and hope it continues to improve, but it has some problematic security of its own.
Comment on Plex got hacked.
CriticalMiss@lemmy.world 3 weeks ago
Jellyfin advertisement 🤷♂️
TheGrandNagus@lemmy.world 2 weeks ago
Logical@lemmy.world 2 weeks ago
But if you just run it locally an a media server in your home, and you don’t expose the service to the internet, that doesn’t really matter? Though perhaps more people connect to their Jellyfin instances remotely than I realize.
thax@lemmy.dbzer0.com 2 weeks ago
It matters if someone manages to hide an exploit in jellyfin’s codebase, or more likely, a popular plugin. I imagine many folk have permissive outgoing firewall rules, in which case, an exploit could establish connectivity. Whether that eventually leads to privilege escalation on the jellyfin host would depend upon other variables.
cosmo@lemmy.world 2 weeks ago
Well. If you’re not streaming why have such a service in the first place? If I didn’t stream remotely with Plex (and share with my friends and family) I’d just go back to running Kodi on my htpc like I did ten years ago.
nonfuinoncuro@lemmy.zip 2 weeks ago
steam locally to multiple devices plus for remote streaming I just VPN into my home network
bobzer@lemmy.zip 2 weeks ago
For example?
magguzu@midwest.social 2 weeks ago
bobzer@lemmy.zip 2 weeks ago
Thank you. These should get fixed.
But again, I can host behind a VPN and have zero risk here. I can work around my own shit, a Plex user can’t protect their data when Plex owns it.
weirdbeardgame@lemmy.world 2 weeks ago
Lack of built-in 2FA for one thing
bobzer@lemmy.zip 2 weeks ago
But it’s not difficult to integrate it yourself.
It’s inherently different. Plex liked having your data and didn’t protect it.
Jellyfins security is as good as the infrastructure you build yourself.
localhorst@sh.itjust.works 2 weeks ago
🍮🇫🇮
Retro_unlimited@lemmy.world 2 weeks ago
Just installed that yesterday lol
TheGreenWizard@lemmy.zip 2 weeks ago
OK, coming from a Jellyfin user for years, its not like it’s impervious to any attacks.
BackgrndNoize@lemmy.world 2 weeks ago
Stuff like this can happen to any app, developers are only human, shit happens, but the bigger a company is, the bigger target it becomes, so there is some saftey in an open source app that’s not as popular, but then again a bigger company also has more resources to monitor for security breaches and quickly address them and push out a hot fix, can’t say I know how this works for smaller free open source apps
Sneptaur@pawb.social 2 weeks ago
I think the point here is that Jellyfin doesn’t have a centralized login or website like Plex does. An attacker would have to know about your server and log into it directly to get access. If you run it in a container, there isn’t a lot they can do other than trashing your media library, which you should have protected with filesystem snapshots anyway.
purplemonkeymad@programming.dev 2 weeks ago
Jellyfin doesn’t even have write access to my files. If they can get access into the container’s process then I guess they could add stuff to the web interface which could contain bad stuff.
Sneptaur@pawb.social 2 weeks ago
That’s also a viable solution, but for me I just use Btrfs snapshots on my NAS. My files are stored on a different device and the Jellyfin container only sees them as a mounted dir, not even aware that it’s an SMB mount.