this post was submitted on 01 Apr 2025
75 points (98.7% liked)
Technology
38448 readers
493 users here now
A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.
Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.
Subcommunities on Beehaw:
This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.
founded 3 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
If the fact that a 128-bit value when sent to your server can retrieve a single piece of media or user info then I have real bad news about what you can do with a typically much shorter password.
Is it ideal that you can retrieve streams or user info from Jellyfin if you know the ID of the entity you're looking for? No, obviously not. But you need to authenticate to get those IDs in the first place, and there are fewer bits of entropy in most people's passwords than there are in UUIDs.
Being able to get streams unauthenticated by guessing the correct UUID is arguably still better security than using passwords without 2FA.
It's not a UUID. Those tokens are MD5 hashes of values that can be pregenerated (rainbow tabled) or guessed. It's not random. https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2525076658
Edit: and UUID in the URL still means capture-able by google search and other issues/crawlers. But somehow security through obscurity is "secure" to you. Y'all are crazy.
My mistake then, it's more vulnerable then I initially thought. I also don't think it's secure even if that weren't true, just that it's not worse than single factor passwords (which you also shouldn't use of security is a concern).
Thanks for admitting it. A few people simultaneously responded attacking my warning. So rereading my response to you, I recognize I was a bit more snarky than was warranted, and I apologize for that.
But yeah, 2fa (Even simple TOTP) baked in would go a long way too on the user front too.
It's clear that Sony could just generate a rainbow table of hashes in MD5 with common naming conventions and folder conventions, make a list of 100k paths to check or what have you for their top 1000 movies... and then shodan(or similar tool) to finding JF instances, and then check the full table in a few hours... rinse repeat on the next server. While that alone shouldn't be enough to prove anything, the onus at that point becomes your problem as you now have to prove that you have a valid license for all the content that they matched, they've already got the evidence that you have the actual content on your server, and you having your instance public and linkable could be (I'm not a lawyer) sufficient to claim you're distributing. Like I can script this attack myself in a few hours (Would need a few days to generate a full rainbow table)... Put this in front of a legal team of one of the big companies? They'll champ at the bit to make it happen, just like they did for torrents... especially when there's no defense of printers being on the torrent network since it's directly on your server that exists on your IP/domain.