Author Topic: SERIOUSLY MICASAVERDE?  (Read 5514 times)

Offline achalhoub

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
SERIOUSLY MICASAVERDE?
« on: August 12, 2011, 05:49:09 am »
Let's say hypothetically, I would like to be a jackass, and I would like to stop remote access for someone who owns a Vera2.

All I have to do is to do the following:

1. go to cp.mios.com
2. put his username ( known stuff)
3. click on forget password
4. put his email (easy)
5. click on send

Instead of sending an email containing a reset link, MIOS directly RESETS the password and informs you by email of the new password. I think this is terribly wrong.

If your friend is outside the country, he is toasted.

In my case, I was using the "forget password"  for a legitimate reason from outside the house. Surprise! my password was reset , and I didn't get THE EMAIL WITH THE NEW PASSWORD.

It took me the whole day to:
1.  go home to be able to access locally
2. open a support ticket
3. wait for the customer support, and explain every detail of this maneuver, and make sure to tell him "I checked the SPAM folder", "I know my email address" etc..
4. after our long email conversation, the magical email appeared with the new password, (IN MY INBOX)


You really need to fix the " Forgot Password feature"

1. Passwords controlling people's homes shouldn't be reset that easily ( with a username and an email). It is a major disaster for people who do not know about technology.

2.Reliable email messaging service to confirm email changes should be a priority and reach customers with no delays.


THIS IS SIMPLY UNACCEPTABLE.

Offline mcvflorin

  • Administrator
  • Hero Member
  • *****
  • Posts: 1756
  • Karma: +11/-3
Re: SERIOUSLY MICASAVERDE?
« Reply #1 on: August 12, 2011, 11:47:14 am »
I added a feature request in Mantis and gave it the highest priority. This will be fixed shortly.

Offline robinnes

  • Full Member
  • ***
  • Posts: 172
  • Karma: +0/-0
Re: SERIOUSLY MICASAVERDE?
« Reply #2 on: August 12, 2011, 02:00:46 pm »

4. put his email (easy)

Am I missing something here? How do you know his email address?
Does it compare the users email address to the one registered to his mios account and prohibit the reset procedure if the email addresses don't match?
« Last Edit: August 12, 2011, 02:05:22 pm by robinnes »

Offline achalhoub

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
Re: SERIOUSLY MICASAVERDE?
« Reply #3 on: August 13, 2011, 02:22:42 am »
MCVFlorin, Thank you.

robinnes. the email address is not something hidden. I am assuming you know your friend's email address. you could try with all his email addresses.

The second point you raised is important too. Will it only reset based on username? I don't know, and frankly i am reluctant to try it right now.

Offline Henk

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 822
  • Karma: +3/-0
Re: SERIOUSLY MICASAVERDE?
« Reply #4 on: August 13, 2011, 02:46:14 am »
All,


First off, i suggest moving this thread to the SECURITY section of the board.

Without diminishing the issue, i have some remarks.

1. Even if you find the correct combination of username / registered email address (wich i personally dont share even with friends). How will you be able to intercept the email with the new password?

Knowing your friends address doesnt give you the login to his account does it?!?

2. Security is usually bases on a few pillars. You have to know something, own something and do something. This combination creates security in layers. As far as i van see MCV at least created a few layers by combining aspects.

I strongly agree with the fact that Vera's security can be improved. Problem might be Vera's limited hardware specs, but i have seen usefull suggestions on password complexity, use of SSL and the implementation of other sorts of encryption.

Personally, i think that as soon as there is a stable firmware for Vera, a robust serversupport from MCV and the new UI is available, security architecture as a whole for Vera should become top priority.

My 2 cents,

Henk

MCVFlorin, Thank you.

robinnes. the email address is not something hidden. I am assuming you know your friend's email address. you could try with all his email addresses.

The second point you raised is important too. Will it only reset based on username? I don't know, and frankly i am reluctant to try it right now.
« Last Edit: August 13, 2011, 04:08:15 am by Henk »
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |

Offline achalhoub

  • Jr. Member
  • **
  • Posts: 86
  • Karma: +0/-0
Re: SERIOUSLY MICASAVERDE?
« Reply #5 on: August 13, 2011, 11:19:41 am »
Hi Henk ,

my answers to your questions are below:

1. While I will not be able to intercept the password in the new email,  I will cause enough nuisance to reset a user's password without him knowing unless he checks his email. Unlike any other software, Vera is automatically resetting the password to an autogenerated password and sending it by email. Correct practice would be for them to send a reset password link by email. If the user does not log in by email and click it, nothing should happen to his original password.



In my case, the password was reset and the email didn't reach me. I had to go home, access Vera locally and raise a ticket to receive my new password.

 I don't know if all people ( specially non techies) think that the email and username, themselves are secret. For them, Email is meant to be shared, while the username is something really intuitive.

2. This is a classic scenario of using publicly known information to modify private information


Offline hightop32

  • Jr. Member
  • **
  • Posts: 92
  • Karma: +0/-0
Re: SERIOUSLY MICASAVERDE?
« Reply #6 on: August 13, 2011, 01:15:05 pm »
good find.  i agree with the password reset link vs auto reset of password.  if that would have been the case, this 'bug' wouldnt be of such high priority. 

in that context, one could be sent password reset attempts to email all day using known information, but said password would not be reset unless acknowledged by the registered user of the vera.

i could see this being a concern particularly for renters, where people might be privy to information like your name and email address etc.

Offline Henk

  • Beta Testers
  • Hero Member
  • *****
  • Posts: 822
  • Karma: +3/-0
Re: SERIOUSLY MICASAVERDE?
« Reply #7 on: August 13, 2011, 01:46:30 pm »
@achalhoub,

Agreed to 1&2 and to the fact that Vera's security IS an issue.

Although 1 can be a nuisance and unwanted behaviour, at least Vera is not immediatly compromised by it.

@mcvflorin addressed it at least by creating a bugreport.

As for 2, partially true. Again usernames are not "standard" or publicly known like emailaddresses.

But i see your point that its at least "guessable"

My advice for all those who are concerned;

1. If possible, ALWAYS change administratorsaccounts login name and password.

2. Create a hard to guess username for your remotely accesible devices

3. If you use services that allow you to reset your password by emailcomfirmation (and there are plenty these days). Create a special email address for those!

Good find achalhoub!

Hi Henk ,

my answers to your questions are below:

1. While I will not be able to intercept the password in the new email,  I will cause enough nuisance to reset a user's password without him knowing unless he checks his email. Unlike any other software, Vera is automatically resetting the password to an autogenerated password and sending it by email. Correct practice would be for them to send a reset password link by email. If the user does not log in by email and click it, nothing should happen to his original password.



In my case, the password was reset and the email didn't reach me. I had to go home, access Vera locally and raise a ticket to receive my new password.

 I don't know if all people ( specially non techies) think that the email and username, themselves are secret. For them, Email is meant to be shared, while the username is something really intuitive.

2. This is a classic scenario of using publicly known information to modify private information
| Vera2 @ UI4 1.1.1350 / 3.20 | Vera Lite @ UI5 | Vera 3 @ UI5 | 2x Merten  504519 | 1x Duewi  064374 | 1x Everspring SM103 doorbell mod |1 Y-cam IP cam | various LUUP plugins |