In release 2023.12 we added a redesigned login page to Home Assistant. It detects when you are accessing Home Assistant via your local home network, and if so, presents a redesigned login experience that shows your user profiles. If you access Home Assistant from outside your home network, the login page still asks for your username and password, like before.
We have heard the concerns from the community that this functionality can open up your Home Assistant instance to a user enumeration attack from within the local network. A malicious actor with access to your local network could get the names and pictures of all Home Assistant users. They could use this information to make attacking your Home Assistant instance easier.
A security issue was filed for this on December 10, we have accepted and published the corresponding GitHub Security Advisory, and have disabled the redesigned login page functionality in patch 2023.12.3 released on December 14.
While researching the feedback we received, we were troubled to discover that the users who experienced problems with the new login page often used misconfigured reverse proxies. When the reverse proxy is not configured correctly, Home Assistant is no longer able to discern between traffic from your local home network or a public network. These users would see the redesigned login page when accessing Home Assistant from outside their home network.
To improve the network security of these users, we are researching how we can use Home Assistant to detect more variations of misconfigured proxies and inform them about it.
We redesigned the login page because we believed the local home network is within the privacy of your own home and a trusted environment for showing the people in it. We assumed that users attempting to log in on the local network are also trusted and allowed to see other user profiles, similar to what Microsoft, Apple, Netflix, and other companies assume in their products.
That said, we do hear you and take your feedback, and the potential security risk to users with misconfigured reverse proxies, seriously. Thank you for bringing this to our attention and being open about your concerns.
The issue here is that users then might activate it and thereby disclose information to the internet without knowing it and HA can’t at the moment detect these situations and warn about them.
Having it as an option, when HA can detect the insecure situation would be perfect, so the situations are safe, but the user still can choose the way the HA UI represents itself.
The issue with a bedroom door is that you might not know that you unlocked it and thereby grant access to the other members of the household without knowing it. Or worse, you might also not know that you unlocked the front door. Kwikset can’t at the moment detect these situations and warn about them. Therefore, from now on, all Kwikset bedroom door knobs will require a key to get back in your bedroom
PS: joking apart, still like the fact that HA listens to the community feedback. Kudos.
but would rather see some of the top feature requests crossed out from the list.
Feature requests are just a way to show developers what the users would like.
The developers do not have to listen to the users. They choose the way they want and the users have to accept that and follow along or leave.
Besides, this was not a feature request, but a vulnerability flaw fix. The only reason for the existence of the request is that initially the devs didn’t want to fix it and sent us to the blackhole of feature requests.
I think this makes it abundantly clear nabu casa need to invest in a security engineer for their team. Someone who can catch these types of issues and advise on the overall security posture prior to a monthly release.
“When the reverse proxy is not configured correctly, Home Assistant is no longer able to discern between traffic from your local home network or a public network. These users would see the redesigned login page when accessing Home Assistant from outside their home network.”
Anyone on the internet can see all of your home assistant users, which they can then use to potentially reverse lookup your login, perhaps with existing password databases. It’s a big deal.
That snippet is their way to save face somewhat. Still, they fixed it quickly and I’m glad about it.
Yes, it’s true that some proxies may be misconfigured (although there may be reasons not to pass the client IP in some setups) but the new login was turning a possible misconfiguration into a straight up security hole.
Maybe the issue here, is the assumption that the local network is trusted at all. I can imagine that some users have home assistant running in commercial environments, or in small businesses. Making this behaviour opt-in would be a good start if we wish to keep it.
We assumed that users attempting to log in on the local network are also trusted and allowed to see other user profiles, similar to what Microsoft, Apple, Netflix, and other companies assume in their products.
This is incorrect, no? Like it makes no sense to me. Netflix only shows other profiles, if you’re already authenticated… I can’t just navigate to Netflix, Apple or Microsoft on my computer and hope to see my wife’s accounts just because we share the same network. Maybe they are referring to logging into an Apple or Microsoft device, but in that case you’re logging into a physical device; not a network device.