Anonymous users are able to load Plex Web App from my server - what gives?

Server Version#: 1.16.2.1297-4b7ace214 (amd64 Ubuntu Linux)
Player Version#: Web and Roku

My Plex server is connected to Plex via a paid Plex Pass. Seemingly anybody is able to logon to the Plex interface on my Linux Plex media server, publicly available on port 32400, by simply creating an account at Plex - offered at the time of logon attempt by either e-mail, Google account or Facebook account - and retrieve a bare-bones interface hosted on my server. They do not have access to any of my local or shared libraries but they are still presented with an interface asking them to install Plex Media Server. They are able to access plugins like News, TIDAL (why are you all connecting this garbage in anyway?), podcasts, web shows, etc. My “guest user” is disabled as well, yet it doesn’t matter because someone can just make an account and it is accepted for login.

Again, this is a random e-mail based Plex account I created on-the-fly after accessing my server via https://:32400/. Anonymous users on the Internet are able to access resources on my server (besides my library, at least it appears that way) despite only two users being permitted logon to my server. I do not know if this is a side-effect of being connected to the ‘Plex cloud’ / plex login infrastructure via the paid pass or what as I haven’t used my server in a non-paid capacity in quite a while, but it is very irritating and concerning.

My concern is that someone may be able to access either my libraries, the server filesystem, other resources on the server, originate queries from the server, etc. should there be some vulnerabilities within the primary web server interface. What with the whole interface changing in the past year or so (which blind-sided me and forced me to upgrade my whole setup from my Roku - the new client interface is laggy on Roku SE - to my server) without warning and without option, I imagine there are plenty of bugs yet to be discovered. And being a guinea pig for these bugs to be exploited because my server is publicly accessible is unsettling.

Authentication should be authentication - if a user isn’t authenticated, he should not get beyond the logon process. Yet, here I am able to create an account and access.

A search for Plex server security pulls up a lengthy page about SSL and DNS rebinding. SSL is not making access to my Plex server secure, it’s just encrypting the connection end to end and ensuring that the server on the end is actually my server (although, not really, unless there’s a signed cert) / preventing MITM. I however cannot imagine why anyone would be conducting a MITM attack to steal Plex credentials. I can imagine, however, why someone would want to be able to get basic access to the server interface via an unprivileged / user without shared libraries so that they can try and exploit scripts on the server.

Is there a way to allow ONLY the permitted users (the two in my list with whom I share libraries) to logon at all to my server? Do I need to disconnect from the Plex Pass in order to achieve this? What’s the deal here?

Thanks

54%20PM859×582 178 KB

I know any user who creates an account on Plex gets the online stuff automatically wether or not they are connected to a PMS server.

Hi @egonline

Just to clarify, any user can load the Plex Web app from a server. Once loaded into the users browser, they can then log in. Once they log in, it only loads content that is accessible to the user.

What they user is effectively doing, is using your local PMS’s bundled Web App, rather than loading the hosted https://app.plex.tv/desktop app.

Regardless of which app the user loads, they can ONLY access content that they have access to. News, Podcasts, Web Shows, etc are all provided by plex.tv and available for all so that is why they show up for the new user account.

I hope this clears things up

Plex Pass has nothing to do with remote access.

In addition to what was said above. New, Podcast, TIDAL and Web shows are not plugins and are not tied to your server or anyone else’s. They are free online media any regular Plex account has access to whether they have a server or not. You can control if your managed users can see them but regular accounts have their own controls https://app.plex.tv/desktop#!/settings/online-media-sources
https://support.plex.tv/articles/#cat-online-media-sources

I am confused; if these applications are being provided by plex.tv, why are these plugins/‘widgets’/applications/whatever being accessed thru requests to my server?

For instance, if I put in the unique SHA1 token for my server in the /settings/server request, for the newly created user, the interface will change from ‘create / search for a server’ to ‘No soup for you - server access denied’. This is good as it is denying them access to my server’s libraries and assets in that respect, but what I am worried about is that they are still pulling content from my server.

So - I guess the question is, why is any user allowed to access any of my server content aside from the login page, ‘login denied’, and what have you? I haven’t looked at the actual traffic and server logs yet to see what is transiting but does how much is involving my server? After all, the URL the anonymous / unauthenticated user is sending requests to is my server IP and port.

Thanks

They aren’t being accessed through your server… The web app is just an interface which gets loaded into browser memory. It is accessing streams from those online sources that not touch your server at all. They go directly from the source to the browser being used by the user.

Create brand new user. (do not share your server with it at all) and go to https://app,plex.tv/desktop and they will see the same things.

If you are concerned about the web interface initially loading from your IP,
then I would change the external port in your port forwarding to something other than 32400. Also don’t give friends that you do share with your IP. just tell them to sign into app.plex.tv/desktop

This topic was automatically closed after 90 days. New replies are no longer allowed.