Tried to support the industry by buying a movie a watch a lot. Well, no more. If I need a pihole just to watch a movie I own, that's ridiculous.
this post was submitted on 25 May 2025
533 points (99.6% liked)
Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ
61392 readers
462 users here now
⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.
Rules • Full Version
1. Posts must be related to the discussion of digital piracy
2. Don't request invites, trade, sell, or self-promote
3. Don't request or link to specific pirated titles, including DMs
4. Don't submit low-quality posts, be entitled, or harass others
Loot, Pillage, & Plunder
📜 c/Piracy Wiki (Community Edition):
🏴☠️ Other communities
FUCK ADOBE!
Torrenting/P2P:
- !seedboxes@lemmy.dbzer0.com
- !trackers@lemmy.dbzer0.com
- !qbittorrent@lemmy.dbzer0.com
- !libretorrent@lemmy.dbzer0.com
- !soulseek@lemmy.dbzer0.com
Gaming:
- !steamdeckpirates@lemmy.dbzer0.com
- !newyuzupiracy@lemmy.dbzer0.com
- !switchpirates@lemmy.dbzer0.com
- !3dspiracy@lemmy.dbzer0.com
- !retropirates@lemmy.dbzer0.com
💰 Please help cover server costs.
 |
 |
|---|---|
| Ko-fi | Liberapay |
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Can you explain the issues with Jellyfin? Idk about any of this. What are the issues?
https://github.com/jellyfin/jellyfin/issues/5415
The biggest issue is that the video stream endpoint is not auth'd. Meaning that if someone guesses the MD5 hash for a file in your library it will play. Sounds at first glance like it's unlikely to matter. Except that MD5 is generated based on the file's filepath. So if you use standard naming conventions on paths that are common (/movies/Big Bucks Bunny(2008)/Big Bucks Bunny.mkv for example being simple and easy), eg defaults for a docker container using *arr suites. Then it's possible for a precompiled hash list to check for file against your server.
So now add a company like Sony, they can generate all their library as a hash list, hit your server with millions of requests over the course of a couple of hours and map out how much of their content you have on your server. If any of it has never had a physical release (since you're allowed to backup your own content) you're completely fucked, and now will have to prove in court that you own ALL the content. And possibly... since it's open endpoint, it could be argued that you're even distributing openly (though unlikely argument... but do you really want to chance that?).
Ultimately if your setup is "Standard" you're asking for a lawsuit.
Answers to "fix" this:
Map your paths in weird folders. instead of /movies/ add in a folder like a GUID, so /eH4i67ZwByjLao3z7nHWKdS5ogysm68x/movies/. Make sure this occurs INSIDE your docker container if you're using docker. Will break any precompiled hashes... though possible to hit a collision and still be "found".
Setup fail2ban or other brute force blocking technology on your reverse proxy.
Use a private network setup... whether VPN, SDN, whatever... tailscale, zerotier, etc... (This will break TVs that don't have vpn capabilities)
Add another auth in front of Jellyfin. (This breaks ALL Jellyfin apps)
The real answer would be the developers closing the unauth endpoints... But it's been an issue for over 4 years now... They're not going to fix it anytime soon as they don't want to "break compatibility", which is a pretty dumb excuse IMO.
There's another issue where you shouldn't give accounts to people you don't trust as one user can attack another user AFTER login. So make sure you trust everyone you let have access... they can screw with your profile and do stuff you might not expect.
Interesting. And I assume this is an issue on Windows too?
The endpoint issue exists in all builds. It would just have a different path in windows because paths in windows start with drive letter.