Hi!
We have an issue open to stop both endpoints from returning tokens, now that we have verified that no instance of PMS or a Plex client is using them anymore. It should be patched in production soon.
That being said, let me also add that while returning tokens in these endpoints is bad practice (which is why we’re patching them), to retrieve such tokens you need to already be authenticated with a non-transient token yourself, that has similar (if not more elevated) credentials as provided by the other ones.
For example, getting tokens from shared_servers requires you to have a token associated with the server’s admin account. If you have that, you already have the keys to the castle. If you hit the endpoint on a server you’re not the admin of, you get nothing.
Sure, you can get different tokens, but if an attacker can hit those endpoints then the system was already compromised elsewhere.
I’m not trying to make light of a security issue. We take these seriously, and react with patching the more severe vulnerabilities as soon as possible. Others might get prioritized slightly lower, but get addressed nonetheless.
I hope that helps.
