I think this is a totally different matter.
I am almost willing to bet that this user has put his whole local home network into āList of IP addresses and networks that are allowed without authā.
And his phone is connected to his home WiFi while doing this.
And he is now surprised that this does exactly what it says on the tin.
Figured I would point it out just in case. Thanks for being quick!
oh ā¦ thanks very much
Ah, you mean this.
In my case 3 tokens were matching to previous. The other devices had received a new token.
Let me look into this and see if I can reproduce.
Thanks for looking into this.
Have you any update for us?
Any updates on all this. Iāve disconnected my plex from web since mine had issues with files being accessed for external ipsā¦ (I dont give access and never have to anyone). Would be nice to hear officially if there was something compromised or if its āstill being worked on evenā. Been radio silent for some time.
Did anything get discovered here. Was strange to have so many have this happen early this year. I find it hard to believe it was account data from 2015 breech. My virus scanner caught plex trying to access something outside of the scan path, which alerted me to check log and see someone (external ip) using a token to do such action. Iāve never shared plex with anyone. This has made me very nervous to reactivate the remote access.
There were things discovered from this.
As a result, PMS was changed in 1.25.7 to be restrictive.
One sequence of events (example)
- long time user had not changed password since the breach.
- The unchanged password meant the PlexOnlineToken had not changed either.
- The targetted server was connected to, using that PlexOnlineToken, as if the actual owner using that breached password.
- (This is where the fault was) ā The intruder set a non-media file as the video to preplay.
- The intruder would then play any video. The preplay would attempt to send the file. If user plex:plex had read access to that path then the file would be sent.
(This is what causes virus scanners/etc to trigger).
PMS 1.25.7 established that all preplay files specified must be valid video files that PMS can read.
PMS 1.25.7 and above maintain this requirement
And adding to @ChuckPa here:
What the intruder also did, was disable logging, so we couldnāt see what was going on.
From PMS 1.25.7, it is now req, that when lowering log level, a PMS restart is needed
Payload matches this exactly.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.
