I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Scary le Poo@beehaw.org · 2 days ago

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Link@rentadrunk.org · 2 days ago

How is someone meant to guess what seems to be a randomly generated id? If they try to brute force it then you could probably set up something like fail2ban to block them after a few failed attempts.

I’m not saying video ids shouldn’t require authentication, they should but the risk of someone getting the video id seems fairly low.

Scary le Poo@beehaw.org · edit-2 2 days ago

It isn’t randomly generated. If you read through you would have known that.

Also, Rainbow tables.

tldr, Rainbow tables are precomputed lists of hashed values used to crack password hashes quickly. Instead of hashing each password guess on the fly, attackers use these tables to reverse hashes and find the original passwords faster, especially for weak or common ones. They’re less effective against hashes protected by a unique salt.

i_am_not_a_robot@discuss.tchncs.de · 2 days ago

If the ID is the MD5 of the path, rainbow tables are completely useless. You don’t have the hash. You need to derive the hash by guessing the path to an existing file, for each file.

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet

Collection of potential security issues in Jellyfin · Issue #5415 · jellyfin/jellyfin