I was looking at the live streams on Plex last night when I noticed my username was watching a movie. Only problem is I wasn’t watching it. I pulled up Plexpy and noticed the user was watching the stream from Florida…not Kentucky. A little more digging and this user had accessed my server 4 days prior as well. I removed access to the device and updated my password to be safe. Has anyone else had this happen?
I have not had this happen to me but I’ve seen a few posts similar to yours. All it takes is a username/password to access your server. Right now Plex is small but I’d imagine someday when its huge there will be programs design to sniff out plex servers around the world. All you can do is just monitor(as you are) who is on and do exactly what you did if you find a breach.
@newplaza there are already ways to find exposed servers online.
@tworth04 - i would make sure that disableRemoteSecurity is set to 0 on your server machine (this is really depending on the OS) windows its in the registry, and linux based its in the preferences.,xml file
You can find the relevant settings location for your OS here: https://support.plex.tv/hc/en-us/articles/201105343-Advanced-Server-Settings
thanks for following up. I’ll continue to monitor and look into the remote security is set
The configuration option @teshiburu is referring to above was made ineffective as of Plex Server 1.7.5
So whatever you witnessed, it was not caused by this.
When you see something weird in Now Playing, first thing to do is to refresh the “web page” in your web browser.
It sometimes shows cached info that has nothing to do with the real playback.
Why this happens is still being investigated.
But the browser refresh always clears this up.
@teshiburu said:
@newplaza there are already ways to find exposed servers online.
Of course, I made no claim any other is immune to this. It’s just something we have it live with if we want an online server.
@teshiburu It is a valid comment so this is just a small FYI; that pref has been removed in recent releases, so if the server has been kept updated it should not have any affect.
@OttoKerner said:
The configuration option @teshiburu is referring to above was made ineffective as of Plex Server 1.7.5
So whatever you witnessed, it was not caused by this.When you see something weird in Now Playing, first thing to do is to refresh the “web page” in your web browser.
It sometimes shows cached info that has nothing to do with the real playback.
Why this happens is still being investigated.
But the browser refresh always clears this up.
Considering he saw the same playback results in Plexpy, I’d say something was actually going on an not just the anomaly you’re referring to.
@teshiburu i don’t see the disableRemoteSecurity option in the link you shared. any chance they changed the name?
Yeah i saw it twice. thanks @johnny15 for your work on plexpy because i was able to actually track where it was coming from.
@johnny15 actually it’s johnny wong…sorry 
Haha! @tworth04 no worries! I wish I could take credit for it…PlexPy is awesome! I make no such claim though. 
@OttoKerner @Peter_W did not notice that glad to see it was removed, just hope people update now
Could also be a “List of IP addresses and networks that are allowed without auth” instead then? maybe
@teshiburu said:
Could also be a “List of IP addresses and networks that are allowed without auth” instead then? maybe
Possible. But I hope nobody does actually put WAN IPs in there…
@OttoKerner nope that’s not configured/left blank
So ultimately, this isn’t a breach of Plex, but rather my own server? How would they obtain my login credentials?
@tworth04 said:
So ultimately, this isn’t a breach of Plex, but rather my own server? How would they obtain my login credentials?
They don’t necessarily need to crack/guess/brute-force your login creds.
A set of credentials of one of your shared users will do a as well.
Have you ever copy&pasted excerpts of your log files to public forums
or the content of the address bar of your web browser, when in the Plex Web app?
likely considering the setup process for other applications running.
@tworth04 said:
likely considering the setup process for other applications running.
I’m not sure I understand.
So there are chances that you did post URLs or log files publicly?
(although, with log files this would only be problematic if you also had the option activated to include ‘Plex Tokens’ in your log files, which bears an explicit warning.)
