Homeseer Webserver open to hackers

Jon00, I think you did the right thing by posting that "tidbit" in the HS forums. If it were not for you, this problem would not be known about at all. At least this gives us fair warning to allow HS to fix the problem, and allow HS users to turn off guest access in the mean time.

I also understand you not wanting to let the "cat out of the bag". If the problem was publicly known, then it would be very easy to exploit. As it is, no one knows what the problem is, and therefore no one can not take advantage of it.

As it is right now, there is no way someone can take complete control of your HS computer. So this should not be blown out of proportion as others have said. It is just that some private information, such as caller ID information and other web pages in your HS/html directory could potentially be seen. This "problem" is contained strictly to the HS/HTML folder and below. It is not even possible for someone to control any of your events or devices from what I understand.

When HST gets the issue taken care of, I am sure they will announce sometihing and make everyone aware of what should be done to fix it. Hopefully.....

On another note, it is amazing how Google Picked up on this so fast! Woah!
 
We always planned to address the issue and to notify people once our change to mitigate it was in a published version. We never intended to try to hide it. It just made no sense to tell people to disable guest access when the possibility of the exploit being discovered was very low - it took John (Jon?) 4-5 years (not sure how long the web server has been in HS) to discover it. If we had published the exploit before we had a version with the fix, then I can guarantee people would be trying it out on everybody's machines that are on the Internet.

I thought I did ask that this be kept quiet until we can address it, but perhaps I did not since the problem is not with the webserver. I probably meant to ask that it be kept quiet after we decided to make a change to help mitigate it, but obviously forgot. I knew that mentioning anything would become a big deal as it certainly has.

When we notify users of this, it will be via newsletter, updater notices, message board, etc. with a recommendation to update to the new version of HomeSeer as well as to get updates on software from application providers.

All will be told soon - we tested a build yesterday that has the other issue in the release resolved and so I believe it will be published today.
 
Can i recommend that you allow the upgrade to be available for atleast 24 hours before posting the actual steps which could be taken to access information. It would be nice to give people some time to actually get to their machine and upgrade before to much info is released.
 
imo, the 'exploit'/detailed steps should never be released, there are plenty of people which don't want to (or can't) upgrade for certain reasons.
 
electron said:
imo, the 'exploit'/detailed steps should never be released, there are plenty of people which don't want to (or can't) upgrade for certain reasons.
I agree.

But since the discussions have mentioned that part of the problem is copied code, I assume that it means that scripts (or something similar) are involved. If things need to be changed even with the HS fix, then it may be necessary to expose the details.
 
Back
Top