This Supervisor vulnerability completely bypassed authentication. Your password is irrelevant in this case. You only needed to know the URL.
This vulnerability was absolutely catastrophic. Pretty much the worst case scenario for security. I hope that the appropriate consequences will be taken with respect to how this part of HA is managed and audited in the future. Considering how this vulnerability has gone undiscovered for years and how far reaching the access it granted was. And especially considering the past high horse we-know-better attitude the Supervisor devs displayed towards users and their supposed bad security practices (see the whole pwnd password thing). HA needs to be professionally pen tested. I know this is expensive. But who knows what else lingers below the surface.
That said, the Nabu Casa URL exposure thing is different. That’s how non-wildcard certs work for subdomains, for better or for worse. The random URLs are just security theater. Afaik NC never advertised it as a security feature, but a lot of third party online resources did, adding to the confusion. So it’s perfectly understandable that many people thought it would increase security. You can still pay for an NC subscriptions as a way to help HA development. But on the technical side, there are much better solutions for a secure HA access (VPN, secure tunnels, limiting IP ranges, port knocking, etc).
That was a conscious decision on their part. With a wildcard cert they could intercept all customer traffic, which is problematic. They did not want to go that way. It’s a tradeoff.