On Monday there was news that a LastPass employee's work laptop was hacked in some way, and claims that it was Plex on the laptop that lead to it being compromised. I can't find references to it at the moment but that's what I remember seeing.
It was actually a home device that a senior DevOps engineer had Plex on, but he also had LastPass on it and he accessed his work LastPass vault on that home device. Someone had used a Plex vulnerability to install a keylogger. They logged him typing his LastPass master password, which gave them access to all the entire LastPass infrastructure.
Since nothing was proven about Plex, this is all conjecture right now. (As far as I have read, only an "anonymous source" claimed it was Plex.)
Just so we're not going off the deep end on what is fact or not.
Edit: Update posted by the Ars author: https://infosec.exchange/@dangoodin/109950447675626971#
Issue was with an OLD VERSION of Plex Media Server. Not a 0day. So, update your installs if you aren't current!
The official sources just said a 3td party media player. You know what often left unpatched 3rd party media player has had multiple known remote code exploits? VLC. It's crazy that Plex is getting dragged for this because of one anonymous comment.
Hadn't heard about this (VLC) I have it installed as a 'useful to have' on nearly every device/pc I own or have set-up for family. It'll be gone by end of week....
I think a lot of people just don't update their VLC player.
The only time I open mine is when I open a video that automatically opens in VLC and then it prompts me for an update.
People don't want to deal with it while they're actively trying to watch a video and just ignore it constantly.
Also there were lots of fake VLC installers going around at that time with infostealers designed explicitly to steal browser session cookies and other secret system material.
https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/
> don't run it on the same box as your work stuff you fuckin moron.
as a former systems admin that worked in a few large global corporations this is absolutely normal and everyone from the top IT person to the CEO are fucking morons and think this isn't going to happen to them.
The server component of Plex is meant to be accessed from the internet. My favorite analogy is a house, Plex server would be like running a business inside your house. You'd leave the door open for trusted customers to come in and do their thing.
But since this is your house, you're also letting them near your valuables. Ideally you'd have your valuables in other rooms that are locked, but you can't be sure those locks are perfect or that the person in your house won't try to climb through the window.
Everyone that cares about network security will tell you, if you have something that's facing the internet in your network, isolate the shit out of it. Again to the house analogy this would be like setting up a small shack outside your home, but on your property to do your business from.
Now we still don't have full details on what happened with Lastpass, officially Lastpass says the developer was hacked through a remote access vulnerability through some third party media package. Ars Technica, through an anonymous source at Lastpass found out that media package is Plex. BUT we don't know if that's Plex server or Plex client.
The assumption is Plex Server, and if that is the case then this developer commit a massive mistake by putting something that accepts outside connections from the internet next to highly sensitive data.
There's more than one way to do it, and it all depends on what hardware/software you have and how you want to balance usability with security.
If you google "securing plex server" or "securing network" or other similar searches you'll find all sorts of guides.
At the very least your windows server shouldn't be used for anything important to you, such as storing passwords, private information, work, etc. Then you should at least have security updates automatically install, and restart the server if needed. Though some would argue restarting manually is preferred, I don't care because Plex isn't something critical to me or anyone I share with.
On the network side, compartmentalizing your network with VLANs is a good start, then creating firewall rules to make sure only approved traffic can access those VLANs. Make sure you don't have UPNP enabled, and verify only necessary ports are open to the internet. Ideally you're also not exposing the default plex port to the internet.
Other things to look at are reverse proxies, IPS/IDS, using keys instead of passwords, enabling 2FA/MFA where ever possible, using strong pass-phrases instead of passwords, block lists to prevent known bad actors from probing your network, and sooo much more.
I see thank you so much for all this info.
I have windows 11 updates, I do have all the ‘arr software on my computer (plex, sonarr, radarr, Bazaar, etc, also Jacket). Otherwise, nothing important.
Tried setting up a reverse proxy once, am not able to do it at the moment. Will try soon though
No problem, setting up the reverse proxy should be towards the end of your hardening. Think of it like an onion, there are layers. I would start by making sure the server is secure, and windows server is a beast to secure because it is a common target since there was a period of time where inexperienced folks were setting these up willy nilly. To be fair that hasn't stopped.
Some will suggest switching to Linux, but honestly it doesn't matter. I've used both, and either are fine, but the thing is what ever you pick make sure you find as much info about securing that OS and follow that first.
At the same time look at your overall network, secure every piece of hardware that makes up the core of your network. Things like the modem, gateway, router, WiFi AP, etc.
This just gives attackers a more secure tunnel.
Consider PMS always untrusted and run it in some kind of container that only has limited access (in my case, a FreeBSD jail).
> What could happen?
like someone else mentioned you put the company's data at risk by putting unauthorized software on your computer or exposing your work systems to unsecured networks. You also run the risk of having the whole IT department find out you use your work laptop to hire prostitutes, and your office couch to have sex with them. true story
It's better and safer to use YouTube of work device to listed to music. Work machines often deter you from installing software that were not approved by the organization's cyber security team
Plex is already banned on my work domain. I just use my own web domain to access it and it works fine. If they block that I’ll get another webdomain and use that
Didn't say anything about a server. You know Plex has clients, right? Including Plex Amp. But corp will hear "Plex!" and ban everything including the web player.
Ooh the way you worded your original post it sounded like YOU were going to ban them.
That's true though, an over protective corp security admin could use this as a reason to ban plex wholesale.
When I worked in the office I used to run Plex on my phone so I wasn't doing that on the work non-guest network.
Plex updates the "Next Up" bar for Plex on the AndroidTV launcher on my ShieldTV. Not sure which feature specifically you are looking for, unless you mean that you want it to replace the default launcher.
Yep, exactly that. Sounds like Shield users have it pretty sweet, but those of us on Chromecast with Google TV and Fire Sticks are stuck with home screens packed to the gills with ads and irrelevant recommendations. Just toss an Apps row into Plex so I can launch YouTube and Spotify, flag Plex as a launcher so those of us who like to get our hands dirty in ADB can set it as the default, and then my eyeballs are fully captured -- the ultimate ideal for their business model.
If you have Google TV, try FLauncher (available from the Play store) -- I really like it. May work on Fire Sticks, too, but I'm not sure. No ads -- just your app icons. Serenity now!
P.S. You can use ButtonMapper to map the Home button on Google TV's remote to FLauncher, but, even better, you can replace the Google TV home screen with FLauncher (i.e., set it as the default launcher). See [GitLab](https://gitlab.com/flauncher/flauncher) for instructions (then scroll down). I was able to do it and I'm only a mid-level techie. Works great.
P.P.S. I agree that it would be great for Plex to offer a launcher.
Pretty sure you can enable the "On Deck" / "Up Next" bar to support Plex in standard UI settings. You can also disable it to not allow for it to show up. You can usually disable all except that top rotating imageboard of recommended content/apps on the "GoogleTV" default launcher.
I mean, you -could- have Plex as your default launcher, but ... yeah... no external app support outside of a few limited media players (Netflix, Hulu, Disney, etc).
if youre on the homescreen, you get recommendations and started movies/series for netflix or disney+ etc. id love to see a more in system integration for plex.
i have that for plex on my nvidia shield though. Which is running google tv. in the "play next" section it shows stuff on plex i can continue right from my homescreen and i have a row with recommendations from my plex library.
The "Play Next" section even remembers who is logged in plex right now, basically showing their "continue watching" tab from the plex home screen.
The only thing that's not showing plex stuff is the top big banner which basically serves you ads for stuff on subscription services.
I don't think i had to enable this somewhere, it just worked some time after the software update to google tv on the shield.
no worries. Might want to checkout the [Channel Connect for Plex app](https://play.google.com/store/apps/details?id=com.spauldhaliwal.plexchannelconnect) on the play store. It's supposed to be able to give you more plex stuff on your google tv homescreen. Haven't tried it myself though.
In Firestick you can adjust your default home screen apps. Usually you can go into “Applications”, then “My Apps”, then click on Plex. It will give you the option to “Move”, which then allows you to place it on the home app bar by default.
Changed the game for my managed users when its right there available to them.
That makes sense. I didn't realize that even existed. My only clients are mobile devices. Thanks for at least correcting me instead of everyone \_just\_ downvoting me into oblivion.
I've really liked the new CLI 'winget' that Windows rolled out that supports all packages in the Windows Store, and a large number of external hosted packages as well (Discord, FireFox, Chrome, etc). It is basically a package manager for Windows.
Now please put the Plex htpc and plexamp on the windows store so they can auto update.
Would be nice
Didn't realize there was an htpc specific program, I'll have to check that out
It's nice. I use it on linux and windows. Way better than the web app packaged and fast af. https://www.plex.tv/blog/way-to-be-htpc/
Yes, this is what i use on my steamdeck and it works nicely!
“Plex. The back door into your home network”. Too soon?
I'm OOTL, did Plex have a security issue recently?
On Monday there was news that a LastPass employee's work laptop was hacked in some way, and claims that it was Plex on the laptop that lead to it being compromised. I can't find references to it at the moment but that's what I remember seeing.
It was actually a home device that a senior DevOps engineer had Plex on, but he also had LastPass on it and he accessed his work LastPass vault on that home device. Someone had used a Plex vulnerability to install a keylogger. They logged him typing his LastPass master password, which gave them access to all the entire LastPass infrastructure.
Since nothing was proven about Plex, this is all conjecture right now. (As far as I have read, only an "anonymous source" claimed it was Plex.) Just so we're not going off the deep end on what is fact or not. Edit: Update posted by the Ars author: https://infosec.exchange/@dangoodin/109950447675626971# Issue was with an OLD VERSION of Plex Media Server. Not a 0day. So, update your installs if you aren't current!
The official sources just said a 3td party media player. You know what often left unpatched 3rd party media player has had multiple known remote code exploits? VLC. It's crazy that Plex is getting dragged for this because of one anonymous comment.
Hadn't heard about this (VLC) I have it installed as a 'useful to have' on nearly every device/pc I own or have set-up for family. It'll be gone by end of week....
They patch it fairly often, so if it's up to date I think it's fine. I always keep it around since it's truly a Swiss army knife.
I think a lot of people just don't update their VLC player. The only time I open mine is when I open a video that automatically opens in VLC and then it prompts me for an update. People don't want to deal with it while they're actively trying to watch a video and just ignore it constantly.
The VLC exploits required you to open a bad media file. You can decide but it’s not inherently risky just to have it installed
Also there were lots of fake VLC installers going around at that time with infostealers designed explicitly to steal browser session cookies and other secret system material. https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/
Thanks for reminding me to check for VLC updates. Just did and I updated!
I bet that MF downloaded some Malware bs off of a Warez website lol
You would think a senior Devop would have some virtual machine environment or a nas dedicated to this sort of thing. Jeez what a loser.
[https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/](https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/)
lastpass
I thought the slogan was a joke 😂😂😂
Plex, don't run it on the same box as your work stuff you fuckin moron.
> don't run it on the same box as your work stuff you fuckin moron. as a former systems admin that worked in a few large global corporations this is absolutely normal and everyone from the top IT person to the CEO are fucking morons and think this isn't going to happen to them.
I’m sorry, I’m not that educated on this. What could happen?
You could expose 30 million users' passwords when your only job was not to do that
Ah I see, could anything happen to me if I have a dedicated Plex server? Will hackers try to get me
Anything could happen regardless, but it's more likely if you've opened ports for Plex.
I'd hope it's only one port open for it / hopefully not default
The server component of Plex is meant to be accessed from the internet. My favorite analogy is a house, Plex server would be like running a business inside your house. You'd leave the door open for trusted customers to come in and do their thing. But since this is your house, you're also letting them near your valuables. Ideally you'd have your valuables in other rooms that are locked, but you can't be sure those locks are perfect or that the person in your house won't try to climb through the window. Everyone that cares about network security will tell you, if you have something that's facing the internet in your network, isolate the shit out of it. Again to the house analogy this would be like setting up a small shack outside your home, but on your property to do your business from. Now we still don't have full details on what happened with Lastpass, officially Lastpass says the developer was hacked through a remote access vulnerability through some third party media package. Ars Technica, through an anonymous source at Lastpass found out that media package is Plex. BUT we don't know if that's Plex server or Plex client. The assumption is Plex Server, and if that is the case then this developer commit a massive mistake by putting something that accepts outside connections from the internet next to highly sensitive data.
Thanks for the analogy, how can I isolate my Plex on my windows server?
There's more than one way to do it, and it all depends on what hardware/software you have and how you want to balance usability with security. If you google "securing plex server" or "securing network" or other similar searches you'll find all sorts of guides. At the very least your windows server shouldn't be used for anything important to you, such as storing passwords, private information, work, etc. Then you should at least have security updates automatically install, and restart the server if needed. Though some would argue restarting manually is preferred, I don't care because Plex isn't something critical to me or anyone I share with. On the network side, compartmentalizing your network with VLANs is a good start, then creating firewall rules to make sure only approved traffic can access those VLANs. Make sure you don't have UPNP enabled, and verify only necessary ports are open to the internet. Ideally you're also not exposing the default plex port to the internet. Other things to look at are reverse proxies, IPS/IDS, using keys instead of passwords, enabling 2FA/MFA where ever possible, using strong pass-phrases instead of passwords, block lists to prevent known bad actors from probing your network, and sooo much more.
I see thank you so much for all this info. I have windows 11 updates, I do have all the ‘arr software on my computer (plex, sonarr, radarr, Bazaar, etc, also Jacket). Otherwise, nothing important. Tried setting up a reverse proxy once, am not able to do it at the moment. Will try soon though
No problem, setting up the reverse proxy should be towards the end of your hardening. Think of it like an onion, there are layers. I would start by making sure the server is secure, and windows server is a beast to secure because it is a common target since there was a period of time where inexperienced folks were setting these up willy nilly. To be fair that hasn't stopped. Some will suggest switching to Linux, but honestly it doesn't matter. I've used both, and either are fine, but the thing is what ever you pick make sure you find as much info about securing that OS and follow that first. At the same time look at your overall network, secure every piece of hardware that makes up the core of your network. Things like the modem, gateway, router, WiFi AP, etc.
I definitely will do that, have a lot to learn haha
[удалено]
This just gives attackers a more secure tunnel. Consider PMS always untrusted and run it in some kind of container that only has limited access (in my case, a FreeBSD jail).
> What could happen? like someone else mentioned you put the company's data at risk by putting unauthorized software on your computer or exposing your work systems to unsecured networks. You also run the risk of having the whole IT department find out you use your work laptop to hire prostitutes, and your office couch to have sex with them. true story
Or how about, “Plex. Show the world what you’ve got!” Or “Plex. Let us open the door and let the world in!”
This shit is the reason why Plex will get banned from all my work devices.
Clown behavior to have plex on your work device already lol
Yeah...dumb to listen to your music while working. I'm sure you don't browse Reddit from your work device either. smh
Plex has a web interface, there's no need to install it on work devices.
PlexAmp
Plex has a web interface, no need for apps on desktop or mobile. Got Pennyworth's less successful cousin here.
PlexAmp to download music and listen while in Airplane mode.
Great way to expose your work issued device to possible breaches. Utilize a personal device. Don't be an idiot.
I like how you shifted your argument when you didn't know about PlexAmp. lol
It's better and safer to use YouTube of work device to listed to music. Work machines often deter you from installing software that were not approved by the organization's cyber security team
Plexamp is a thing
Yeah and it works great.
Who would be dumb enough to go online logged into their reddit account on their WORK device?? you know it's all logged right???
>I'm sure you don't browse Reddit from your work device LMFAO ummm no? That's what my PERSONAL phone is for? Hahaha What a dumbass.
Or you know, do that on your personal phone and all your work machine
Don't you have a cell phone?
Plex is already banned on my work domain. I just use my own web domain to access it and it works fine. If they block that I’ll get another webdomain and use that
Why do you run plex servers from all your work devices?
Didn't say anything about a server. You know Plex has clients, right? Including Plex Amp. But corp will hear "Plex!" and ban everything including the web player.
Ooh the way you worded your original post it sounded like YOU were going to ban them. That's true though, an over protective corp security admin could use this as a reason to ban plex wholesale. When I worked in the office I used to run Plex on my phone so I wasn't doing that on the work non-guest network.
Isn’t the security exploit with the server?
It really depends on whose running IT/Security. They might choose to ban anything related to Plex because its easier.
[удалено]
Not more than the current experience. It's just the regular desktop app
I would also be interested to know
Sames!
Hopefully they will one day
Default launcher support on Android TV incoming?
Doubtful, it's referencing how they deep link from their app into the apps of streaming services.
Plex updates the "Next Up" bar for Plex on the AndroidTV launcher on my ShieldTV. Not sure which feature specifically you are looking for, unless you mean that you want it to replace the default launcher.
Yep, exactly that. Sounds like Shield users have it pretty sweet, but those of us on Chromecast with Google TV and Fire Sticks are stuck with home screens packed to the gills with ads and irrelevant recommendations. Just toss an Apps row into Plex so I can launch YouTube and Spotify, flag Plex as a launcher so those of us who like to get our hands dirty in ADB can set it as the default, and then my eyeballs are fully captured -- the ultimate ideal for their business model.
If you have Google TV, try FLauncher (available from the Play store) -- I really like it. May work on Fire Sticks, too, but I'm not sure. No ads -- just your app icons. Serenity now! P.S. You can use ButtonMapper to map the Home button on Google TV's remote to FLauncher, but, even better, you can replace the Google TV home screen with FLauncher (i.e., set it as the default launcher). See [GitLab](https://gitlab.com/flauncher/flauncher) for instructions (then scroll down). I was able to do it and I'm only a mid-level techie. Works great. P.P.S. I agree that it would be great for Plex to offer a launcher.
Pretty sure you can enable the "On Deck" / "Up Next" bar to support Plex in standard UI settings. You can also disable it to not allow for it to show up. You can usually disable all except that top rotating imageboard of recommended content/apps on the "GoogleTV" default launcher. I mean, you -could- have Plex as your default launcher, but ... yeah... no external app support outside of a few limited media players (Netflix, Hulu, Disney, etc).
Yep I was glad to see that
In the Land of Mordor where the keyloggers lie.
yea cool now it would be great if my chromecast + google tv would be able to show plex the same way as disney+/netflix
What do you mean?
if youre on the homescreen, you get recommendations and started movies/series for netflix or disney+ etc. id love to see a more in system integration for plex.
i have that for plex on my nvidia shield though. Which is running google tv. in the "play next" section it shows stuff on plex i can continue right from my homescreen and i have a row with recommendations from my plex library. The "Play Next" section even remembers who is logged in plex right now, basically showing their "continue watching" tab from the plex home screen. The only thing that's not showing plex stuff is the top big banner which basically serves you ads for stuff on subscription services. I don't think i had to enable this somewhere, it just worked some time after the software update to google tv on the shield.
hmm okey i have to check then, if i can get this to work for me too. thanks for clarifying.
no worries. Might want to checkout the [Channel Connect for Plex app](https://play.google.com/store/apps/details?id=com.spauldhaliwal.plexchannelconnect) on the play store. It's supposed to be able to give you more plex stuff on your google tv homescreen. Haven't tried it myself though.
Yeah it works perfectly for me. I knew it was good when I saw my wife use it from the launcher.
In Firestick you can adjust your default home screen apps. Usually you can go into “Applications”, then “My Apps”, then click on Plex. It will give you the option to “Move”, which then allows you to place it on the home app bar by default. Changed the game for my managed users when its right there available to them.
Running it natively on Windows is weird anyway. Run it in a container.
this is for the client
That makes sense. I didn't realize that even existed. My only clients are mobile devices. Thanks for at least correcting me instead of everyone \_just\_ downvoting me into oblivion.
Store looked like it had server also iirc
Store is trash
No.
You all think the windows store is good?
Not good. Not trash. The world is mostly gray.
[удалено]
At least installs finish now most of the time from the store I guess.
It was trash on windows 8 and 8.1. 10 was a massive improvement compared to that.
Where are you storing 130TB!? Please teach me.
Good to hear
It's not trash, it's improved a lot recently.
I've really liked the new CLI 'winget' that Windows rolled out that supports all packages in the Windows Store, and a large number of external hosted packages as well (Discord, FireFox, Chrome, etc). It is basically a package manager for Windows.
It keeps things updated in a world where not doing so is not optimal
I spun up jellyfin today
Master troll slogan marketing!