+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: Possible security issue? (/t-possible-security-issue)
Possible security issue? - JoeG - 2025-02-17
Just something I stumbled on today...
If I click the 3 dots next to a song, tv show, etc, and use the Copy Stream URL option and then paste it into an incognito browser, it downloads the file without me having to authenticate. My expectation is that the file would be blocked or I would at least get a login page.
Here is a typical URL: http://{IP - Censored by TDP}:8096/Items/7dfe409daf79f5b4815786ac9e0a5898/Download?api_key={API_KEY - Censored by TDP} (This is not a valid URL. Just an example.)
If I mess with the Items key, I get the correct error returned via JSON.
If I mess with the api_key, it returns a 401 error in the console.
It seems like the api_key is not necessarily checking for a valid session before sending the file?
RE: Possible security issue? - TheDreadPirate - 2025-02-17
The "Copy Stream URL" link includes an api_key. This is how the link is authenticating. If you were to log out of the session you used to create the link, the api_key used would no longer be valid and the link would no longer work.