2mo ago

Important Notice of Security Incident

forums.plex.tv

Additional read: https://www.bleepingcomputer.com/news/security/plex-tells-users-to-reset-passwords-after-new-data-breach/

68 comments

Went there to update my password but got reminded what a horrible experience Plex is these days, so deleted my account instead.
- Wdym it's like a couple of clicks
  
  They're probably just using some shit browser or something. I had no issues either.
- :D
- Same lol, using jellyfin now instead
Meanwhile I made a post asking if plex is bad now and most people on it said "no it's great I paid for my lifetime pass years ago and its been the best!" Yeah, we know the truth now.
Jellyfin all the way.
- Seems unlikely that this happened. Most people on Lemmy despise Plex and forgive all the shortcomings of Jellyfin
  
  Thats what I thought too. But I posted on ask lemmy, not here.
- I'd love to switch. I would do it right now, but the problem is that Jellyfin's security isn't better if you open it up to the internet. For example, I'd have to set up a VPN for my remote users for proper security, and most of my users are in other states, not technically inclined, and watch on their TVs. I'd have to at least support a raspberry pi for them, or some sort of site to site VPN, and if it goes down, I'll be expected to fix it. On top of that, if I do a simple raspberry pi based VPN, it would be made even more complicated since they'd want it to work with their smart TVs.
  Again, I really want to switch. But Jellyfin needs to fix their security issues before I can. I'm also happy with the way Plex is reporting this, it's above the standard "your data is lost" notifications.
  Edit: here's a link to the related GitHub issue I've been following: https://github.com/jellyfin/jellyfin/issues/5415
  And @Saik0Shinigami@lemmy.saik0.com has a great thread explaining more: https://lemmy.today/comment/18923504
  
  Jellyfin is great... As long as you're the only one who needs to access the server. I've switched to using Jellyfin myself, but I still run Plex for others to access.
  I've found that I get a smoother playback experience on Jellyfin, but even outside of potential security issues, there are a still couple of features I miss from Plex.
  
  Most of these require some form of random id to exploit, which leaves you either brute forcing ids or brute forcing a user account
  
  My big complaint with Jellyfin is that their documentation showed a “fast forward” hotkey that convinced me to switch from Plex, and when I started it up it was a misnamed “jump forward five seconds” button instead.
  It’s still better for my needs, but I remain angry.
  
  This is the same reason I haven’t switched. My parents use it to watch the local OTA channels and I have zero intention of supporting a site to site VPN on their home network and multiple mobile devices.
  
  Thank you for that issues link. I keep trying jellyfin every now and then and I run into issues with general bugginess so I haven't been able to switch. Seeing that it's kinda full of security holes makes me even more reticent.
- Leave Plex
  alone!
- Even is plex is "bad" now, it's still years ahead of jellyfin.
- Plex hasn't been getting better, but it still does what I need. I have a lifetime pass from years ago. If I was starting today I would be a lot less inclined to pay for Plex though. They keep adding things I don't want.
Glad I started out with Jellyfin
- I mean, jellyfin is absolutely even.more of a security nightmare than Plex, with multiple unfixed CVEs IIRC (software, not website or forum)
  I use jellyfin also, but I only trust it not exposed to the internet at all. That is one very big area of improvement for them.
  That and subtitle syncing.
- Same here.
I am curious as to why people thing Plex is self hosting if Plex can change how your server functions? I have never personally considered it self hosting but do others still think it is?
- Yes. It’s running on my server. That I host.
  
  And you fully control the service?
- Because you are hosting the server software on your own hardware. That's literally self-hosting. Plex provides a way to remotely access your server through their own network as well, which is optional.
  
  The problem with Plex is it isn't fully hosted. Plex controls user passwords. You can't use it without logging into their servers.
  
  On a side note: you can remotely access any service running on home network via Tailscale[1] / Cloudflare Tunnel. Your services are never exposed on Internet. Moreover, you don't need to rely on Plex for that.
  [1] https://tailscale.com/ [2] https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/
- By your logic the *arr suite isn't self hosted either since they rely on metadata cache servers.
  In fact Jellyfin relies on external services for their metadata too!
- Plex is self hosting, the auth is not.
  
  So is the auth needed to set up your plex in the first place? It has been forever sence I used it.
- Even though there are some cloud services like remote server management, proxies, and 3rd party integration, I do actually have to run the software myself on my hardware. Hence, self hosted.
- How is that any different than any other software package? Unless you're coding it yourself, things can be changed without your permission.
  
  And even if you do code it yourself, you may have dependencies that do undesirable things outside your control.
  
  Jellyfin I don't have to update if I don't want to. Jellyfin can't force me to update by taking a function I currently have away or force my to pay to keep using it the way I currently am. With open code I can fork it and keep it at the version I want if I choose.
- You are a bot? That's what I'm seeing in Boost anyhow
  
  Just asking a question looking for answers, not a not. Cheers mate.
I dropped it in favor of Jellyfin some time back, but this was a good excuse to go ahead and delete my family's accounts.

68 comments