In release 2023.12 we added a redesigned login web page to House Assistant. It detects if you find yourself accessing House Assistant by way of your native dwelling community, and if that’s the case, presents a redesigned login expertise that exhibits your consumer profiles. If you happen to entry House Assistant from exterior your private home community, the login web page nonetheless asks in your username and password, like earlier than.
We’ve got heard the issues from the group that this performance can open up your House Assistant occasion to a consumer enumeration assault from inside the native community. A malicious actor with entry to your native community might get the names and photos of all House Assistant customers. They might use this info to make attacking your House Assistant occasion simpler.
A safety concern was filed for this on December 10, we have now accepted and printed the corresponding GitHub Security Advisory, and have disabled the redesigned login web page performance in patch 2023.12.3 launched on December 14.
Whereas researching the suggestions we acquired, we have been troubled to find that the customers who skilled issues with the brand new login web page usually used misconfigured reverse proxies. When the reverse proxy is just not configured appropriately, House Assistant is not in a position to discern between site visitors out of your native dwelling community or a public community. These customers would see the redesigned login web page when accessing House Assistant from exterior their dwelling community.
To enhance the community safety of those customers, we’re researching how we are able to use House Assistant to detect extra variations of misconfigured proxies and inform them about it.
We redesigned the login web page as a result of we believed the native dwelling community is inside the privateness of your personal dwelling and a trusted setting for displaying the individuals in it. We assumed that customers trying to log in on the native community are additionally trusted and allowed to see different consumer profiles, much like what Microsoft, Apple, Netflix, and different corporations assume of their merchandise.
That mentioned, we do hear you and take your suggestions, and the potential safety threat to customers with misconfigured reverse proxies, critically. Thanks for bringing this to our consideration and being open about your issues.