ListenBrainz tokens are stored unobscured in Plex Media Server logs
Closed this issue · 0 comments
The issue
A ListenBrainz user token allows activities to be performed on behalf of a ListenBrainz user via the API. As such, it should be kept hidden where possible.
Under Plex Media Server's default logging settings, webhook events (including full URLs) are stored within PMS logs. If these logs are shared publicly, or sent to a Plex employee for example, user tokens can be unintentionally disclosed.
The solution
Plex obscures its own secrets by string matching the word token, among others. To resolve this issue, we'll need to update the URL structure to something that Plex will obfuscate for us. We're replacing the id parameter with token to resolve this issue.
Anybody using the old id parameter will need to replace their webhook as soon as possible to ensure their logs no longer contain the unobscured token.
This will be a breaking change, so a 1 month grace period will be provided to allow users time to migrate to the new URL structure. After this grace period, webhook events will not be processed unless they're using the new token parameter.
Sincere apologies for any inconvenience caused.
tl;dr
Your secret ListenBrainz token may have been unintentionally disclosed if you shared your Plex Server logs. To resolve this moving forward, we're making a change to the way we structure our webhook URLs. You'll need to update your URL if you created yours on or before 2020-09-26.
If you're concerned that you've disclosed your ListenBrainz token by sharing your Plex logs, resetting your token at listenbrainz.org/profile/, and then following the steps at eavesdrop.fm to reconfigure your webhook will protect you from unauthorised access.
Please reach out to me if you have any questions or concerns. I'm @SimonXCIV on Twitter and in the Plex forums.