Homeseer Webserver open to hackers

Skibum

Senior Member
Jon00 has pointed out to HS that a vulnerability exists in their webserver, allowing total system access.

http://board.homeseer.com/showthread.php?t=103307

Instead of announcing that fact, HS has instead chosen to keep it under the table until they can plug that hole. .... when all that is necessary for a temporary fix is to turn off guest access.

IMHO
Notice should have been posted about the vulnerability as soon as it was discovered. For HST to turn a blind eye to this is really really poor decisionmaking...


Comments?
 

electron

Administrator
Staff member
Most big companies work the same way, only announce the issue once there is a fix for it. The problem with announcing this WITHOUT a fix is that this might be an incentive for some hacker-wanna-be to poke around until he finds the issue, since he now knows for sure it exists.
 

Tink

Member
Yes, our reason for not disclosing it is exactly what was mentioned - why give people a chance to find systems that have the exploit?

Also, if you look at the thread on the message board you will see that it is not a flaw in the webserver - it is acting exactly as designed, but rather there is a flaw in the common way in which the security features are used, exacerbated by people copying and pasting other people's code.

We can, nonetheless, help the issue by making a change which is what we are doing, and when we have that done we will notify people of the issue, how to correct it, and what we have done to mitigate it.

Regards,


Rick
 

jon00

Member
Skibum said:
Jon00 has pointed out ....allowing total system access.
Not true.

This is a small vunurability but personal information could be obtained via the Web server.
 

Skibum

Senior Member
I'm impressed.... I actually got an answer from you!

Thank's for that.

I guess it is just my opinion that something like this should have been out in the open as soon as it was discovered. I read big "E's" answer, and now yours, and understand your points. I guess now everyone will be trying to find the exploit!

Can you answer this? Is it just guest guest access, or any web access? Can I change my login to user, user, and not have to worry?


Will 2.0 be out before the fall? (Couldn't resist, I'm still Skibum) ;)
 

smee

Senior Member
Maybe something like this should be emailed to registered users? Should they warn people that guest access should be turned off until a security fix is available?

This way, no details need to be given out (making life easier for hackers) and people will be protected.
 

jon00

Member
Skibum said:
Jon.. If you did not have system access, how did you get Ruppsters email stuff?

All will be revealed ...soon, but you are all reading to much in to this. I wish I could tell you more but I have been asked to keep quiet at the moment.
 

DavidL

Senior Member
HST made the right call on not to inform the whole wide world. It's a balance of letting the HS users know vs. the whole hacker community to know. I highly suspect much less damage to get the upgrade together and then provide the details once the fix is released.
 

Squintz

Senior Member
Didnt take this topic very long to hit Google News... Type in HomeSeer in google news and this thread is the first thing you will see.
 

BraveSirRobbin

Moderator
Squintz said:
Didnt take this topic very long to hit Google News... Type in HomeSeer in google news and this thread is the first thing you will see.
Yes Squintz, all the more reason we should post with a certain amount of discretion as NOT to hurt others in our community. I believe (of course in my own mind) that CocoonTech has become a very powerful source of information and we certainly do not want anyone to use information gathered here for any "ill will". ;)
 

Skibum

Senior Member
Topics hit the news because they are important. If I were able to revise the title of my post I would. Perhaps "Unknown vulnerability in Homeseer exists" or "Possibility of information loss with latest Homeseer"

If you feel that I was trying to HURT anyone, then you had better re-examine your opinion of me.

In my first post I clearly stated what my opinion was, and merely asked for comments.

The only mistake it seems that I made was to insinuate that the vulnerability was in the webserver, which Rick pointed out was not the case, and that is an endemic problem within homeseer itself.


IMHO I still believe that a simple notice to turn off guest access if you are the least bit worried about security would not have been too much to ask. On further reflection, if no mention was made of the vulnerability on the HS board in the first place, we would not be attempting to have this discussion.
 

Squintz

Senior Member
No hard feelings at all towards you Ski... If it were not for you posting here on the cocoontech board then I probably would have never known. I just thought it was ironic about how the topic of this discussion was wether or not we should keep things like this a secrete and yet only a few minutes after the post was made it was basically as public as you can get it.

A simple e-mail telling us to turn off guest access would have been nice but face it. None of us would have ever known if Jon had not hinted to the issue. What "Everyone" doesnt know "Shouldnt hurt us" But now we know so a warning should be issued in bigger bolder lettering and not hidden in a thread somewhere.

I cant wait to we can know the full details. Im a curious little fella!
 

BraveSirRobbin

Moderator
The comment was not directed towards anyone, just a statement that a LOT of people are viewing and listening to what we post here. I believe this is actually a GOOD sign that CocoonTech is starting to make its mark as a valuable source of information exchange for the security/automation/home theater players.
 

jon00

Member
I was probably wrong to have mentioned this security issue on the HS forum but the latest version has fixed this problem even though there are other problems with this version.

The issue here is that HST never actually told me to keep quiet, I only did this as it was common sense to do so. I was not even contacted to tell me that they were applying a fix for this. It is only because I installed the latest version and tried to see if the issue had been resolved that I knew!

When Rupp stated that there is no reason to upgrade, I felt it my duty to say that there was. The trouble is that it appeared that my post was suspect because HST had not mentioned anything about it. My little visit to Rupp's site was to wake up the community to try and encourage the upgrade - nothing more. This was probably wrong on my part.

Luckily HST have now taken the issue up and with all the interest it has now caused, they will have to get an update out ASAP.

Please do not get paranoid about this issue. It is small and will not affect many users.
 
Top