Security issues in Plex/Web

aeonx · April 3, 2014, 7:19pm

1. Sign in to Plex/Web 2.0.23 using Safari 7.0.3 on www.plex.tv

2. Open a Plex/Web link in a new tab or load the Apps page, which loads in a new tab

3. Sign out from the new tab

-> Bug: Old tab is not signed out. Expected behaviour is that it signs out of plex.tv completely if signed out once.

Also, Plex/Web 2.0.23 is not encrypted using SSL like the main page on www.plex.tv.

Security should not be an after-thought in development; it should be conceptualized and ingrained in development from the beginning.

aeonx · April 6, 2014, 2:39pm

It seems the Plex forums are vulnerable to the Heartbleed bug in OpenSSL:

Plex.tv has the OpenSSL bug too, but it can't be exploited:

Tested on http://possible.lv/tools/hb/

More information regarding Heartbleed: http://heartbleed.com

aeonx · April 8, 2014, 3:23pm

I think it would be wise to fix these security issues as soon as possible, as they're published and out in the open, ready to be exploited.

aeonx · April 9, 2014, 10:26am

It appears the Plex forums have been patched against the Heartbleed bug. Kudos for the quick fix!

aeonx · April 9, 2014, 4:56pm

One more thing that's left to do to secure this forum is reissuing the SSL certificate, as the keys could have been stolen already:

Please do so as soon as possible, if you value the safety of your users' information.

Securing Plex/Web with SSL would also be appreciated.

Ancillas · April 10, 2014, 9:30pm

I'd appreciate a re-key as well. I spent hours resetting passwords last night, and want to check plex off the list.

aeonx · April 13, 2014, 6:51pm

It's kind of disappointing to report serious issues and get no response or acknowledgment from the developers whatsoever. I'm guessing Plex will only do something about their security when a data breach happens that is reported in the media, thus affecting its bottom line. For what it's worth, here are more exploitable security issues in Plex: http://seclists.org/fulldisclosure/2014/Apr/160

sa2000 · April 13, 2014, 7:08pm

IFor what it's worth, everyone, here are some more exploitable security issues in Plex: http://seclists.org/fulldisclosure/2014/Apr/160

Just linking to the other post on the subject

grapper · April 14, 2014, 8:58pm

It is very disappointing to report serious issues and get NO response or acknowledgment from the developers whatsoever. I'm guessing Plex Inc. will only do something about their security when a data breach happens that is reported in the media, thus affecting their bottom line. For what it's worth, everyone, here are some more exploitable security issues in Plex: http://seclists.org/fulldisclosure/2014/Apr/160

Agreed, worrying and disappointing to say the least.

tom80H · January 16, 2021, 1:34am

Early 2021 clean-up: outdated / fixed

Topic		Replies	Views
SSL Security Vulnerabilities Dev/API Corner other-dev	9	523	December 21, 2019
Impressed with SSL solution General Discussions	4	49	January 7, 2020
[Implemented] Fix the gaping security holes Feature Suggestions	227	331	July 10, 2020
https for "http://plex.tv/web/app" Feature Suggestions	4	60	June 10, 2021
[Request] SSL Support in Plex Media Server Feature Suggestions	6	88	June 10, 2021

Security issues in Plex/Web

Related topics