This is not really a question but more a warning. Recently, part of my job, I was playing with REDACTED web site. This website is able to provide you url answering to some requests.
It was quite a shock for me when I discovered in the recent searches section specific requests targeting plex. If you run this search, you will find more than 1000 plex server fully open on Internet: no password!
I cannot imagine that the owners are willing to share with the entire world their videos, photos (with GPS data), music…and their email address in the account section!
Only one advise: please update to the latest version of Plex and configure the remote access correctly. In case of doubt, connect to your Plex from outside your home to check that it is correctly set up or ask a friend).
@m3xiz, I redacted the website you mentioned since no one is going to want this type of information easier to find. Plex comes up high in search engine results so…
I can’t help but wonder how many of these improper setups might be on NAS boxes where someone turned on the feature played with it a bit then forgot about it? This really is a shame because the Plex software is pretty good security wise once you complete the setup and sign in. Unfortunately this is a user error and not a problem with the software.
@cayars. I understand your approach by removing the site. It is one way of seeing it. I do not share this approach as I believe people needs to see to believe it. None of the approaches is better than the other and you are the master here…
Yes this is a user error. Reason why I posted here, hoping people will check their config before blaming Plex if their data is out In the wild.
If you determine the platform of these “open” servers, you’ll find that 90% of these are
a) running older Plex server versions
b) running on FreeBSD or FreeNAS
The rest are either intentionally open
or
were misconfigured by their owners with “reverse NAT”/“reverse proxies” (just so they can use their own domain name instead of plex.tv).
Can you please highlight what you need to make sure it is secure I’m pretty sure mine is as mates have to request to be part of it and I do not allow unsecure connections , is that enough or do I have to add a pin to it ?
@310dubed said:
Can you please highlight what you need to make sure it is secure I’m pretty sure mine is as mates have to request to be part of it and I do not allow unsecure connections ,
Yes, I’d consider this reasonably secure.
is that enough or do I have to add a pin to it ?
The Pin has a different function. It only prevents other members of your Plex Home to switch to your access level.
A 4-digit PIN is not exactly “safe”. It can be broken (if determined) relatively quickly.
Therefore you should only invite people into your Plex Home whom you trust and who are living with you in the same household.
So you believe that bad guys will though about that sites only after reading this thread? You prefer to ignore a potential issue instead of doing what it takes to make your beloved pictures safe?
Use the latest version of plex and ask a friend to connect to your ip. If correctly configured, he should be requested to enter a password. If you have no friends, use whatever means you have to access Internet from outside your home (4g, wifi hotspot, tor browser, …)
@seidler82 said:
Can we delete this thread? I just found this site after reading the redacted post and I never would have thought to look for it until reading this.
Useless. “Security by Obscurity” doesn’t work. This has been proven time and time again.
Only full (responsible) disclosure and subsequent fixing of the bug will make software better.
And it has indeed been fixed. All Plex server versions from 1.7.5 on upwards are immune.
And the particular issue which made this possible wasn’t even a bug. It was a hidden preference which a 3rd party software developer turned on without documenting it.
He then offered his changed version of Plex Server for downloading by other users.
It was a preconfigured Plex installation for FreeBSD/FreeNAS.
If you must use an older version of Plex Server, check your configuration file for the line disableRemoteSecurity=1
either set it to 0 or delete the whole line.
