jellyfin-plugin-opensubtitles icon indicating copy to clipboard operation
jellyfin-plugin-opensubtitles copied to clipboard

Published 20 hours ago verified publisher icon jellyfin

Url contains username and password în plain text

Open savornicesei opened this issue 3 years ago • 3 comments

Hi all,

When entering OpenSubtitiles credentials in Jellyfin, it redirects to

http://localhost:8096/web/index.html?username=<my_username>&password=<my_password>#!/configurationpage?name=Open%20Subtitles?username=<my_username>&password=<my_password>

where my_username and my_password are my credentials for OpenSubtitles.org, in plain text.

It seems they're kept in the url even if I leave the plugin page: image

For security reasons they should not be passed in plain text and in the query string.

  • Jellyfin v10.7.5
  • OpenSubtitles plugin v10.0.0

Thank you.

savornicesei avatar Jun 01 '21 15:06 savornicesei

I agree this maybe isn't the most clever design. However, there is a quick fix for this, enabling HTTPS :)

uranderu avatar Jul 07 '21 02:07 uranderu

That is not a fix 😄

savornicesei avatar Jul 07 '21 07:07 savornicesei

Putting the password in the request body instead does not exactly stop sniffing attempts. Use HTTPS.

cvium avatar Jul 07 '21 07:07 cvium