Have encountered a concerning “breach”. I received notification (via the Plex App and when I checked on Tautulli) that a user I didn’t recognise had accessed my plex server in the early hours of this morning. I did have remote access enabled
When I checked my Plex Server, I could see an email that I didn’t recognise had been added as a shared user with access to all of my libraries. I also checked my Plex logs and could see entries with the same username and an IP address. However, when also checking authorised devices I didn’t see anything I didn’t recognise.
.
My main Plex password is pretty strong but I have since changed it, logged out all devices and disabled remote access (which is a shame).
What concerns me, is that from my logs, I can’t tell if they somehow were able to log in as me and add the account as a shared user. If not, then how can an unauthorised user be able to add themselves as a shared user unless things were breached in another way?
I have the logs available for diagnosis if someone from Plex could reach out to me - I’d be very grateful!
Is your Tautulli page accessible from the internet? If so, do you have it requiring authentication?
[edit: it is indeed publicly accessible without requiring any authentication.]
Because you can get your X-Plex-Token from it. And if you have this token, you can do almost anything that requires plex authentication (i.e. Plex username and password), like inviting shared users etc.
(That nobody is knowing your domain or IP is no security at all [google “security by obscurity”]. There are thousands of search “spiders” patrolling the web, trying to find all kinds of servers without proper security measures.)
THANK YOU! I simply hadn’t considered that (what an idiot I am). I think I now have Tautulli blocked from external access. Do I need to do anything else to ensure the X-Plex-Token from the intrusion is now invalid (I’ve gone into Tautulli and re-authenticated and re-generated a token)
@OttoKerner Having slept on this issue, and taken another look at the logs I sent your team, I’m now getting concerned about what else the intruder could have done whilst he/she was able to access my Plex via my Tautulli mistake.
I’m very grateful that you were able to quickly identify what the entry vector was, but would also appreciate anything else you or the team can find from the information in the logs I supplied.
Ahhh okay, I was just wondering if my logs could tell you anything else about what they were upto with the access they had, beyond just adding themselves as a shared user…
For example inject malware, gain non plex related info and credentials etc… (I have done both antimalware and virus scans and not found anything)
I’ll turn the Plex access back on later today, thanks
