For some reason, the same person: riley79 (theaog@mail.com) has appeared on my friends list showing that I'm sharing all of my libraries with them. After doing a search for that email, it came up on FB with someone from the UK, so it's definately not one of my friends who guessed my password. This happened last week with this person, then I removed them and they appeared again on my friends list tonight.
Don't I have to confirm/invite other users to access my library? Was my account compromised? I changed my password tonight and removed this person again, but how is this possible?
I know I didn't share anything with them, especially on two separate occasions. Also, I shared my libraries with 3 friends and they were in my pending section until they accepted, this person was never in my pending area (assuming they sent the invite to themselves and accepted right away). Is there a way on my server or under my account on plex.tv to see the invites I sent out? Besides the pending area, how would I know what invites I sent out? Besides someone cracking or brute forcing my password, I don't know what else is feasible. I'll have my masters in information assurance/data security in the spring, and this is pissing me off. Since I changed my password, I think I'll be alright. I was stupid and didn't change my password after the first time thinking it was an error on Plex's part.
Have you seen any other scenarios were someone randomly shows up as a friend you're sharing something with?
Can someone from PLEX PLEASE comment on this. I am getting (no I am beyond) very nervous. We need to know why this is happening and how to stop it now.
Thank you both Elan and dewd. I read up on the link you provided and it seems that 'theaog' is indeed a malicious user selling plex library access. I immediately removed the friend and access to my server and changed my password. Hopefully the devs will implement a solution (two factor authentication or maybe a 24 hour waiting period when sharing a library and a notification email).
Not communicating about bugs or future plans is one thing, but no comments on something this serious that has been happening this long is not cool. Not cool at all...
FWIW, this has not happened to me. Because of this, I check my sharing often.
Not communicating about bugs or future plans is one thing, but no comments on something this serious that has been happening this long is not cool. Not cool at all...
My apologies, and I can promise you we have been looking into it for a while now (including putting in some countermeasures), so we absolutely do care about this sort of thing. We'll continue to make improvements and "take care" of the badly behaving users.
dewd, It's actually kind of funny this happened to me now as I'm in the middle of migrating from my old server onto my brand new server. I am going to run a VM strictly for Plex with a 10TB spanned volume share (with a backup). I wouldn't be as annoyed with this crap if I were already migrated into my new server and VM since I can revert back to any snapshot, but since most plex servers are hosting directly on hardware, I hope this backdoor or Python code exploit I was reading about is patched up soon.
My apologies, and I can promise you we have been looking into it for a while now (including putting in some countermeasures), so we absolutely do care about this sort of thing. We'll continue to make improvements and "take care" of the badly behaving users.
Elan,
I've been following the security issues for 9 to 10 months now or so and haven't made any comments. I know it's complex from your standpoint.
However, I'd like to give a few possible quick things that could be implemented directly in the server without client alterations that would help us. More like a "band-aid" but will help!
1). On the devices page add the IP address. This could allow us to easy block IP address from our router to "offending" devices that have breached. Also good for other things.
2) Add a new configurable section to the server that only allows "admin/system" changes from a list of IP authorized addresses. Allow at least "C block" ranges. I could for example put in my home and work IP addresses.
3) In the server before allowing any changes make sure it's from an authorized IP address (see above).
By doing this no new users could be added to the system which should stop some of the exploits where new users are created from "external"/un-authorized IP addresses. Of course you could also log all such "breaches" to a new log file "security", etc.
I wonder if the users that are getting compromised have something in common, like the same email provider? ISP? something? bad passwords? or could just be something wrong with plex itself, which would not surprise me I guess
First time I started adding users to my server there was an unknown friend added. Can't recall the name now but I promptly deleted them, I hadn't even looked at the users section before that since I wasn't using it. I'm thinking that "riley79" may have been that user, so Plex, you know this is happening and we can provide usernames, is it possible to see how many servers one user has friends access to? If it's unusually high then you stand a good chance that this person has found a bug or is actively hacking into accounts.
This issue was one of the main reasons I wanted to get something like plexWatch running on my server. So I could see and log if anyone was using my server without my knowledge.
It's totally unbelievable that there isn't some way from within the PMS web app itself to monitor who, what and when. I would rather have too much information in this type of situation then what we have now. IP, MAC, area of the world that IP comes from. And to be able to restrict (and STOP, if needed) their access. Even selecting a time-frame a given user is able to use it. (Kids from this to that time, etc.)
At least now I have plexWatch, so maybe I can start seeing logs of user activity.
This happened to me again, with a new password not used anywhere else. I've also cleared almost all my tokens to stop users connecting.
really, this is ridiculous.
i have tried to find out where access to this is being sold in an effort to find out how it's happening. It's infuriating though; and there's no way it's related to a old password leak. At this point i've had to enable the PF server in yosemite to IP ban users from connecting to my box; and like other's installed plex watch;
](http://i61.tinypic.com/2qs3xo5.jpg){kind=link}