Is it only me who thinks that the new feature of listing the users just by navigating to the webpage from anywhere on the LAN is a face-palming security problem? Or should I get scanned for a tinfoil hat?
Simply by sending a GET to HA anyone on any subnet on the local area network now gets back a listing of the accounts.
Note that for a large bulk of users HA is not a side tinkering toy (although there’s always a factor of that) but a means to monitor and physically control the most critical technical and safety-related aspects of their homes.
If you were auditing the security of software, what would you think if the very first time you get to the server it gave you back the existing user accounts?
Imho it is mainly considered that LAN is a “trusted network”.
But also ofc there is a probability that an intruder may enter your LAN, get a list of users & then try to find their passwords.
Vulnerability, but how serious depends on how critical you consider HA, and the overall security posture you’ve adopted for your LAN.
I only have one HA user account, so to me it’s an academic question. But having worked in data security, yeah, giving out a list of users could be a bad idea. On the other hand, for non-critical systems where there are a number of unsophisticated users, it might make the system seem more “friendly” to them, and increase acceptance.
In the end my preference for this (and many, many other recent changes) would be to let the user decide. If we wanted a locked-down system where some remote committee of designers decided what was best for us, I’d buy Apple hardware.
I think that unless HA is used in a proof of concept manner, relegated to try it with irrelevant devices, this feature is an obvious security hole.
Even so, if you had only $1 in your bank, would you be fine with the banking site displaying your account numbers to anyone who simply browsed to it from your IP?
IoT devices are notoriously insecure. And Home Assistant is nothing less than the central monitoring and control system used to manage them. Thus, security is paramount.
Found a mitigation at least for requests from outside the local network if you are behind a proxy: Rewrite the X-Forwarded-For header to always present the client IP to HA as being an external address. For example, for Caddy you would do this: