Show Users to Unauthenticated Parties - Feature or Vulnerability?

Is it only me who thinks that the new feature of listing the users just by navigating to the webpage from anywhere on the LAN is a face-palming security problem? Or should I get scanned for a tinfoil hat?

Simply by sending a GET to HA anyone on any subnet on the local area network now gets back a listing of the accounts.

Note that for a large bulk of users HA is not a side tinkering toy (although there’s always a factor of that) but a means to monitor and physically control the most critical technical and safety-related aspects of their homes.

If you were auditing the security of software, what would you think if the very first time you get to the server it gave you back the existing user accounts?

3 Likes

Imho it is mainly considered that LAN is a “trusted network”.
But also ofc there is a probability that an intruder may enter your LAN, get a list of users & then try to find their passwords.

Vulnerability 100%

3 Likes

Vulnerability, but how serious depends on how critical you consider HA, and the overall security posture you’ve adopted for your LAN.

I only have one HA user account, so to me it’s an academic question. But having worked in data security, yeah, giving out a list of users could be a bad idea. On the other hand, for non-critical systems where there are a number of unsophisticated users, it might make the system seem more “friendly” to them, and increase acceptance.

In the end my preference for this (and many, many other recent changes) would be to let the user decide. If we wanted a locked-down system where some remote committee of designers decided what was best for us, I’d buy Apple hardware.

4 Likes

In the spirit of HA’s open & flexible mantra, I think this is a reasonable feature request:

I think that unless HA is used in a proof of concept manner, relegated to try it with irrelevant devices, this feature is an obvious security hole.

Even so, if you had only $1 in your bank, would you be fine with the banking site displaying your account numbers to anyone who simply browsed to it from your IP?

IoT devices are notoriously insecure. And Home Assistant is nothing less than the central monitoring and control system used to manage them. Thus, security is paramount.

Found a mitigation at least for requests from outside the local network if you are behind a proxy: Rewrite the X-Forwarded-For header to always present the client IP to HA as being an external address. For example, for Caddy you would do this:

header_up X-Forwarded-For "^192\.168\." "168.192.$1"

Another option could be to enable NATing for the HA subnet using a public address pool, if your router supports it.

None of the above takes care of the threat from the local subnet, but that can also be mitigated by isolating HA in a dedicated network only for it.

Still, all these kludges can go away with a simple frontend option to disable presenting the user accounts to anyone who hits the server.

1 Like

Feature has been disabled and update will be out soon: