This is a disclosure about security vulnerabilities found in 3rd party custom integrations. Custom integrations are not created and/or maintained by Home Assistant. Users install them at their own risk. We want to inform you about these because the found vulnerabilities impact the security of your Home Assistant instance.
If you do not use custom integrations, your Home Assistant is not vulnerable. If you do use custom integrations, your instance might be vulnerable if you use one of the impacted integrations.
Really impressed with the way this has been handled, especially giving users clear paths to mitigate the vulnerability without advertising it to potential bad actors. Great work from everyone involved.
For some reason the lists of vulnerable / previously vulnerable custom integrations are not showing up in my browser. Could be a firefox extension thing my end. Either way I can see the lists in the original blog post linked in small text at the end of the post.
I believe changes have already been made to HA to close this vulnerability already, hence the push to get everyone to update their installation. If a new component is developed against the current HA codebase, it’s already going to avoid this vulnerability.
If it’s something that can be ‘relatively’ easily explained, purely out of curiosity, how would this have happened? IE how would the vulnerability have been exploited?
That is to say that as far as I know I can only access hacs from my interface when it is logged in, but the vulnerability appeared to be able to utilise an ‘unauthenticated webview’.
I don’t understand how homeassistant and custom components speak to each other, so maybe it’s obvious to some, but if anyone can give us a clue in 5 paragraphs or fewer just to satisfy my curiosity I’d appreciate it.
If it’s way too complicated for a simple explanation, that’s fine too
I’m sorry for probably a dumb question:
Exactly what credentials do I need to change:
A) credentials from the users that I’ve created in home-assistant
B) credentials that are stored in configuration.yaml, and probably any credential that I’ve entered in the integrations
C) any more??
Some custom components send files and/or data from the backend (server) to the frontend (browser) because they need this to work as advertised.
The attack consists in tricking the component to send data they are not meant to send.
Is there any additional information available about the URL of the webview? I’d like to look through my proxy’s access logs to see if my HACS install was taken advantage of. Even something as simple as just “grep for [this]” would be great, if there’s anything specific enough.