An issue was recently identified in the some recent releases of both the Plex HTPC and Plex for Windows/Mac/Linux player apps, which could result in user “tokens” being incorrectly visible in the app log files. To be clear, this only occurred when running the specific player app versions and most would not have uploaded logs from them to forum
Who Is Affected?
The only users who might have been affected by this are those who (all of the below):
- run Plex HTPC or Plex for Windows/Mac/Linux player apps
- were running an affected version of the app
- Plex HTPC: v1.34.1 through 1.37.2
- Plex for Windows/Mac/Linux: v1.65.0 through 1.67.1
- shared a log file from the player app with someone else (such as attaching a log file to a forum post)
In such cases, the log file that was shared might have incorrectly included user token information. The vast majority of users will not have publicly shared such a log file and so will not be affected.
How Was it Fixed?
Starting with Plex HTPC version 1.37.3 and Plex for Windows/Mac/Linux version 1.67.2, the issue has been resolved and user tokens are no longer unexpectedly exposed in log files.
To help protect users who may have shared affected log files in our forums, we’ve deleted all affected player app .zip and .log file attachments (for topics tagged as plex-htpc, player-mac, player-windows, or player-linux) which were uploaded during the period when the affected versions of the player apps were available.
What Should You Do?
The main thing to do is to simply update your player apps to the fixed versions noted above (or newer) then sign out and back into the app which will invalidate the token, or remove the device/app from your authorized devices list at https://app.plex.tv/desktop/#!/settings/devices/all which will also invalidate token.
You can always find the latest release from our Downloads page.
