Came across an alarming feature the other day, my wifi QR code was publicly accessible online! (see my specific query here = tldr I use the duckdns method to connect remotely, image used in picture card for guests to log on via the wall-tablets).
It seems there is little reason to have the domain.tld:8123/local/ directory available to anyone with the file names and locations. As well as potentially sensitive floorplans (valuable items and cctv locations anyone?!), profile pics, qr codes in my case, etc. HACS stores its frontend files in the www directory, not sure if theres any risk there but Iād rather as little as possible was accessible without auth.
The only way the attacker could view your data is to pick the right name of your files or directories, he can brute force but itās pretty hard to find them. You could implement ip ban too to minimize this issue
I would argue that obfuscation doesnāt provide any real online security. There is, as far as I can tell, no reason for www to be exposed to the public by default, unless you want something or some files to be publicly accessible. Tightening security of our installs is no bad thing.
eg if you could find someoneās domain (ie from Shodan), and try simple filenames, something like ā/local/floorplan.pngā possibly, this could expose the layout of someoneās house, camera locations, exits etc, to bad actorsā¦ In the realms of a spy thriller perhaps, but possible! While some people may obfuscate our file names and subfolders etc, not everyone would! (I have since removed my guest wifi qr code from my lovelace to avoid any risk, until I find a better solution - or ha devs can fix this issue)
IP ban wouldnāt make any difference to this, www (or domain.tld:8123/local) is publicly accessibleā¦ so no auth requests will be made.
I was really surprised by this as well. I stumbled on it when I realized nabu casa was serving it up to the world with no password protection.
I have no idea how this stuff works, but is there a reason these files need to be publicly available? Like when sending a snapshot attached to a push notification? At the very least it would be nice to come up with a way to make it more clear to the user that this stuff is all out there. Iām fairly sure itās in the docs, but I think it is easy to miss. If I recall, a āwwwā folder is commonly used for serving up content to the world wide web, but what about those of us who lack this tribal knowledge?
To be fair, HTTP is part of default_config and because it is enabled by default, that means most people wonāt ever go to the HTTP page to see the warning. Yes, itās there, but unless someone is explicitly going to that section of the docs, theyāll never see it. Personally, I think it should be part of the onboarding docs or at least linked there and the same from the Nabu Casa docs (Home Assistant Cloud - Home Assistant).
haha I knew I going to get shit for posting it, but whatever. Iām learning! While I completely accept my responsibility in all of this, I do think an engineer is compelled to consider users of all skill levels and abilities when designing a system that can do harm. In this case, it sounds like a consideration was made and risk ultimately deemed low - it is hard or impossible for anyone to find these files, but just in case thereās a warning. That works for me; consider me sufficiently no longer worried.
Yeah, I figured get it into cloud and then I was going to go back and push a PR for security and onboarding. But, Iāll start with security and go from there.
