Context
Release 2023.12 highlighted a login page redesign. If the client was on a private IP address the login page would automatically display the currently active users’ profile picture and display name. The accessing user then clicked on his picture and was directed to a second page where the respective password could be entered.
The feature was meant to make login easier and friendlier-looking, or as the blog post put it, to ‘literally welcome you into your own home’, since logging in from a local network ‘means that you are in your trusted home environment’.
Reception
Immediately the community raised several objections to the new login flow:
- In IoT there is no such thing as “a trusted environment”.
- The home network is the most immediate thread surface and therefore exposing all user accounts without requiring authentication is ill-advised.
- The feature is accompanied by a new public API endpoint that besides profiles pictures and display names also hands out the internal user ids.
- In practice the above means deeming any address in the private IPv4 and IPv6 space a trusted party (at least in this context).
- Many users that have Home Assistant behind a proxy without client IP passthrough are finding themselves unintentionally leaking this data to the Internet.
- The new login flow weakens authentication because it removes the username factor.
- Having to click on the user picture is rather a nuisance for password manager users, since now you have to click twice instead of populating both
UsernameandPasswordfields at once.
Nabu Casa’s Engagement
Ostensibly two Nabu Casa parties engaged the community - forum moderators and GitHub developers.
The moderatos left the debate breath and their interventions were limited to correct or add more context around technical points. The forums were the main channel for the exchange of opinions.
The developers responded through the issues and vulnerabilities reports raised on GitHub. Invariably advising that the feature worked as designed since now Home Assistant considered the local area network conventionally trusted. Therefore, a feature request was the indicated channel. And then the discussions were locked (at least the first ones).
In the meantime, behind the scenes devs were in fact discussing a rapid fix. Which resulted in update 2023.12.3 to revert back to the usual login, accompanied by a public vulnerability disclosure CVE number CVE-2023-50715.
In a blog post Nabu Casa gave two reasons for the decision:
- They had listened to the users’ concerns.
- Users with instances behind misconfigured proxies were unwittingly exposing the data to the public.
Lessons Learned
- Devs and product management need to (better) consider the security implications of any change to the authentication procedure.
- Better communication from the devs to the community would have prevented, shortened or cooled off many debates.
- Not rushing to dismiss users’ security concerns and cross out their feedback with canned responses would have softened many reactions and created more amiable dialog.
Thanks to the community for being so security-conscious. And thanks to the devs for rapidly implementing the fix.