Wow, good catch by the security researcher!!
Its nice to see that there are still some people who care for others and have the knowledge & skill.
Gj!!
1 Like
Very well handled.
1 Like
Not sure if i get this right. A possible attacker (outside my network) need to know my nabu casa url
to use this security vulnerabilitie? (given that i donāt have Home Assistant exposed it in any other way)
After some research i think the answer is yes.
If so, is it easy for someone to get my nabu casa url? (excluding torture me
)
not so good question, when i think twice. Itās easy and not easy as i know now, whatever the answer is the security vulnerabilitie is still there.
Sorry for another question. I am using your great Bitwarden Add-on, as vault and master-password are encrypted there is nothing to worry about here?
For what i found out an access to the database could have been possible. So it would a bit depend on how strong the master-password is and how long it would take to crack it.
Thanks in any case to the HA Team for the fast response and professional handling on this. 
Thank you to the development team for thier handling of this full topic, well handled, clear comms and a very quick resolution. Great work!
So this vulnerability, in theory, could have given unauthorized access to my secrets.yaml file? Just want to be doubly certain I understand this situation correctly since I have so much more to sayā¦
Based on the information here, yes; assume your secrets.yaml and the rest of the /config directory was exposed.
Thatās what I thoughtā¦ And this is exactly why I disagree that the steps taken to inform the public were sufficient.
Giving custom component authors time to fix their code does not outweigh the need to be fully transparent with your user base. The security bulletin published on Jan 14th did not disclose the extent of the vulnerability, nor did it warn users to change their passwords. Anyone competent enough to use a secrets.yaml file now has to go through the process of changing every single one of the secrets, some of which may not be possible (legacy Nest integration anyone?).
Sorry folks, but I respectfully disagree that your approach was sufficient. You should have been more detailed in your initial warning. Guidance to update passwords should have been given on January 14, especially because secrets.yaml, the recommended method of securing sensitive data, was impacted by the vulnerability.
What level of directory have been exposed? Only the homeassistant config folder?
In supervised install or HA OS, was ssl safe? What about addons?
If I had multiple keys in ssl and Bitwarden in addons, do I need to change them all?
Iāve been trying all afternoon to figure out if thereās any way I can feel secure about my legacy nest integrationā¦so far, no.
You knowā¦ EVERY OTHER Organisation gets vulnerabilitiesā¦ and we donāt find out for months and years!
This community handled this with in a week in a steady thought out processā¦
Was it perfectā¦? Well maybe they learned how they might do it differently next time
But in all fairnessā¦ they handled better than companies who handle our personal banking and credit information
6 Likes
Good communication and actions HA team. Thank you.
What does that do that the new one doesnāt?
HASS team, thank you for your transparency and Iāll have to say you are dealing with these known issues outmost professionally. Chapeau to the team.
If you forgot to lock your front door one day, would you be happy for that information to be broadcast in public before you had chance to get home and resolve the problem?
As for having to update secrets/passwords, that would have been required regardless of when the vulnerabilities were disclosed. Even if there was full disclosure on the 14th, which I think would have been crazy, the vulnerabilities had been around for months I suspect, so changing credentials would have been the advice regardless.
Thereās a reason this is common practice.
Well done Dev team.
1 Like
I really like and appreciate the way this has been handled. Kudos to all the devs for this and the actions you have taken.
1 Like
Well handled. And good to know that this was entirely accidental on the part of the custom integration developers. The worst case scenario of having an actually malicious integration actively stealing data or opening a backdoor would have been much worse.
Very well done to all within the Nabu Casa team.
Handled as best as can be given the situation.
And as others have mentioned, yes, giving enough information to cause users to bring about action, but not enough to tip off potential bad actors on how to look for said exploit, that was the right call.
Thank you for this guys, handled really well. As many people have said, the best thing to do is change all credentials on HA and anything in secrets.yaml - yes it might take some time and become a tedious task but ultimately this could have happened to any other piece of software and it wouldnāt have been disclosed for a longer period of time. A big thank you to all the contributors and authors working on this great system and integrations in their spare time as volunteers.
Youāve missed the point. We should have been told that our credentials, all of them, were at risk on the 14th. Not the 22nd.
Regardless, whatās done is done. Ultimately, my constructive feedback is for the devs so they may inform future decisions. This is an opportunity for them to improve their process and I am confident that they are listening, even if it may be hard to hear.
I guess there will always be those who criticise how things are handled. If they can do better, try helping out
6 Likes