Server Version#: 1.41.6.9685
Player Version#: (whatever’s currently on offical channel)
So, we had a Roku device recently crap out here. Not the device itself, the remote stopped working completely. Didn’t seem to be powering on at all even with fresh batteries. We decided to replace the device instead of just buying a new remote. Because the remote was not working there were concerns of how to erase the old Roku before disposing of it. Now here’s where things get interesting…
I went to the Authorized Devices on my server and deleted the Roku there, removing the auth from my side.
After this we figured out there was a reset button on the Roku we could use to factory clear it so we reconnected the power to it and used that button to clear the other authorized apps.
Then we connected the new Roku and set it up.
I had my phone ready, at the Plex device linking site, so I could authorize the app on the new Roku.
Plex app didn’t need any authentication. The app launched and asked about pinning sources on the primary user profile.
I went back and rechecked my Authorized Devices later and the new Roku was listed on it.
I’m kinda concerned there was no authentication on my part needed here. Since I deleted the old Roku from my server authentications I’m doubting the app is reusing an old token. I also got an email for the “new sign-in” on the Roku I never did. Why is Roku being allowed to store the login information to my Plex account? Given the past security issues with Roku, Inc and their user accounts, and the fact I can’t restrict my server’s admin functions to the local network only, this feels like a security issue.
Edit: I’d like to add that the activating of the new Roku did not require authenticating the Roku account itself. The registered email of the Roku account was entered and then they sent an email to click through and activate. So a compromise of an email account not connected to my Plex account at all could potentially compromise my server here.
It could be related to Roku storing credentials for apps installed and linked on your account but that’s not something user controlled - it’s app\channel controlled. Can’t even turn it off on your Roku account or see anything about it really. I do not think it’s a commonly used feature.
I didn’t think Plex did this so maybe it’s a change on Plex’s side to use it? I agree it seems like the only option for how it auto authenticated in your description of your experience.
Otherwise I would think maybe it got picked up as local device based on IP (like how you’d set it up for offline use) but didn’t actually authenticate. I’m pretty sure you’d notice the difference if that were the case though. It’s pretty similar experience but definitely not the same.
The only other thing I can think of is that Plex authentication for linking can be pretty quick if you’re already logged into Plex on your mobile when you go to link it, but since you never tried to go to the dedicated “link my device” site that doesn’t fit either.
I wouldn’t stress too hard about the security aspect; someone can’t get to your Plex server just because the Plex app auto credentials on Roku devices. Gotta be a GUID key or similar doing that I’d think - not actual stored credentials - and that’s not going to help someone sign into your Plex server (particularly if you have 2FA setup). I’d be more concerned about any credit card or personal info stored at Roku (which is why I don’t keep any there) - otherwise there’s nothing really useful with getting into someone’s Roku account. It’s just not very rewarding beyond someone’s lolz.
You can delete media files from a Plex server with the Plex client.
You can delete the actual Plex account from the Plex streaming device client. You can’t delete a Netflix account from the Netflix app. You can sign out, but you would have to go online to the Netflix site to unsubscribe/delete.
This is expected. Your Plex account info is saved into your Roku account profile, so signing on to your roku automatically signs you into your Plex account without any further authentication. The only way to stop this is to remove your Plex info from your roku profile. But it will get added back if you ever sign into Plex again from any other roku device.
Ah. I almost never go into Plex profile screens on Roku - it’s always just the regular settings - so I hadn’t seen it there and wrongfully assumed it wouldn’t be an option.
I wouldn’t want a random family member to delete an account because of mistaken remote button presses. Account deletion options should probably be removed from any client device screens really.
I had the “delete content from client” turned off for the same accidental reason but eventually found it more useful than the risk of accidental deletion so it’s on now, but I could see if this was a significant concern you might want to disable it.
Like I said though, someone’d have to get to my Roku account on a Roku device and that just isn’t likely. It’s not that easy to do (different passwords for different accounts and 2FA enabled even the crappy “email a code” 2FA at Roku) and there isn’t much reward for doing it. I’m not saying you can’t have a concern just wanted to allay some initial fears as it doesn’t seem too big a security issue as it might seem initially.
Edit: I just dug around and don’t see where on a Roku via Plex channel\app you can delete your Plex account. There’s some account level options you can fiddle with but nothing that could delete your actual Plex account. Nothing destructive. Where are you seeing that?
