Collection of potential security issues in Jellyfin · Issue #5415 · jellyfin/jellyfin
github.com
Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla...

Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…

  • Waryle@jlai.lu
    1·
    16 hours ago

    Keeping that copy on a web accessible platform that is accessible by anyone on the internet(unauthenticated) isn’t covered by your rights at a bare minimum.

    It’s as accessible as my DVD collection in my living room: anyone can get into my home without a key by illegally breaking a window.

    Using a flaw in my Jellyfin to access my content is illegal and can’t be used against me to sue me, period. The idea of rights holders who would hack me to sue me is just plain ridiculous.

    Depending on the content “timing” if they trigger on something that doesn’t have a physical/consumer release yet… or all sorts of other “impossible” conditions. This is obviously reliant on what content you actually have on your server.

    And again, the only proof they would have could not be used in courts.

    For real, you’re just fear-mongering at this point.

    I was sincerely hoping someone would bring some real concerns, like how one of these security breaches listed in the OP could allow privilege escalation or something, but if all you got is “Universal might hire hackers to break through your server and sue you”, you’re comforting me in my idea that I don’t have much to fear

    • Saik0@lemmy.saik0.comEnglish
      1·
      15 hours ago

      There is no authentication occurring. There is no “hacking” here. Nothing about scanners or bots scraping unauthenticated endpoints is illegal. This would be admissable.

      • Waryle@jlai.lu
        1·
        13 hours ago

        Using a flaw in a software to retrieve data you should not have access to is illegal where I live, the same way as you’re not suddenly allowed to enter my house and fetch my drawers just because I left a window open. I won’t debate this point further.

        • SteevyT@beehaw.org
          1·
          11 hours ago

          Is the place you live anywhere in the US? If yes, then it doesn’t matter because they have the money. If no, then honestly you probably actually have sane laws.

          • Waryle@jlai.lu
            1·
            11 hours ago

            I live in France, and these are the relevant laws :

            • Article 323-1 : you access my server without my authorization -> 3 years of prison, 100k€ fine
            • Article 323-3 : you touch my data in any way -> 5 years of prison, 150k fine
            • Saik0@lemmy.saik0.comEnglish
              1·
              9 hours ago

              Article 323-1 : you access my server without my authorization -> 3 years of prison, 100k€ fine

              Bullshit. Notice the term is fraudulent. They are not making a bad login or accessing anything that requires authorization. There is no requirement here that simply accesses a web page is sufficient.

              Article 323-3 : you touch my data in any way -> 5 years of prison, 150k fine

              Again FRAUDULENT. Since it’s public access, there’s nothing illegal happening here. Further any company that would be scanning for this material to build a lawsuit would have the legal right to reproduce the content (eg a law-firm that was contracted by universal, sony, etc…)

              It requires authentication or bypass of functioning code to be fraudulent. Making calls to apis that have no authentication cannot be illegal. This is literally how a good chunk of the internet itself works. If it was illegal the internet wouldn’t exist in your country.

              Edit: Just to make it clear. It’s not a “flaw”. The github link itself shows that the managers of jellyfin are aware of the problem and intentionally do not “fix” it as they want backwards compatibility.

              • Waryle@jlai.lu
                1·
                9 hours ago

                https://www.legifrance.gouv.fr/juri/id/JURITEXT000030635061/

                Case law from the Cour de Cassation, where the defendant was convicted, by Articles 323-1 and 323-5, of having extracted data freely following a proven failure of the protection system.

                The complainant just had to show that the data SHOULD have been inaccessible, by expressing this “with a special warning” :

                "3°) alors qu’en l’absence de dispositif de protection des données, la maître du système doit manifester clairement et expressément manifester, par une mise en garde spéciale, sa volonté d’interdire ou de restreindre l’accès aux données ; qu’en déduisant de la seule présence d’un contrôle d’accès sur la page d’accueil du site de l’ANSES que M. X… s’était irrégulièrement maintenu dans le système contre le gré de son propriétaire, la cour d’appel a violé l’article 323-1 du code pénal ;

                Translated :

                “3°) whereas in the absence of a data protection system, the master of the system must clearly and expressly manifest, by means of a special warning, his intention to prohibit or restrict access to the data; that in deducing from the mere presence of an access control on the home page of the ANSES site that Mr. X… had irregularly maintained himself in the system against the owner’s will, the Court of Appeal violated article 323-1 of the French Penal Code ;

                In my case, the first thing you see when you arrive at my Jellyfin instance is a login form blocking your entry, and you have to go through a backdoor to access my data, so there’s no ambiguity on this point.

                You’re wrong, period. Stop trying to debate laws interpretation of a country you don’t even speak the language of.

                • Saik0@lemmy.saik0.comEnglish
                  1·
                  9 hours ago

                  You’re wrong, period. Stop trying to debate laws interpretation of a country you don’t even speak the language of.

                  LMFO. I actually speak English, French, Polish, and German (in proficiency order) and have an EU citizenship.

                  I just happen to live in the USA. So congrats, you’re wrong again. Try not to resort to personal attacks next time. You’ll look much less silly.

                  YOUR intention doesn’t matter. You don’t maintain the jellyfin code. The actual code designers specifically left the endpoints open for “compatibility”. There was a conscious decision for those endpoints to not require authorization, and worse, IT’S DOCUMENTED. This is not like the case you’re quoting. If accessing endpoints without auth was ever illegal, almost all IoT devices would be illegal, a good chunk of gaming and other services would be illegal, etc… This premise is asinine.

                  You realize that google and other sites regularly scan and capture direct links to websites without ever giving a shit about a login page somewhere else on the site. You don’t see lawsuits against any of those crawlers, nor the people who click the crawled links when they return in a search result. This is the exact same premise.

                  • Waryle@jlai.lu
                    1·
                    9 hours ago

                    Oh you insufferable rawgabbit. Even in the face of definitive proof, the only thing you care about is throwing a 4 paragraphs tantrum trying to twist every single word just to not say “OK, maybe I was wrong on that thing”. I’m out.