home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
73.67k stars 30.8k forks source link

iCloud continual emails #46308

Open jscherry opened 3 years ago

jscherry commented 3 years ago

The problem

iCloud with 2FA is working again but I receive 2-4 emails per day saying someone has logged into my account through a web browser? Is this normal?

What is version of Home Assistant Core has the issue?

2021.2.2

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

iCloud

Link to integration documentation on our website

No response

Example YAML snippet

# Put your YAML below this line

Anything in the logs that might be useful for us?


# Put your logs below this line

```nothing in the logs

I’d run iCloud integration before it stopped working properly last year and didn’t receive all the emails about logins? It has done this since reinstalling it 2021.2.1 and 2021.2.2.  I’m using a Blue Odroid N2+
Mic92 commented 3 years ago

I used to filter out those emails but now apple also continuously request new verification codes. In my case it's probably because my server is in a different part of the world (Finnland), while I usually login from Germany.

Mic92 commented 3 years ago

An issue similar to this one was closed with https://github.com/home-assistant/core/issues/34332#issuecomment-615234223

Mic92 commented 3 years ago

I don't think this is something home-assistant can solve. pyicloud needs app-specific passwords or this will popup everytime because of apples brain-dead heuristics.

Mic92 commented 3 years ago

I am using this sieve filter to kill the email:

if header :contains "Subject" ["Your Apple ID was used to sign in to iCloud"] {
  discard;
  stop;
}

I think this is the best we can do right now.

jscherry commented 3 years ago

Where do you plug that email sieve in. Is it email settings in Apple?

RSDynamics commented 3 years ago

At my installation (2021.2.2) it starts with an error in the log. 2021-02-10 16:40:27 ERROR (SyncWorker_8) [pyicloud.base] Authentication required for Account. (421)

The integration is still working so I don’t know where the error comes from. After the error I receive two emails half an hour after each other.

but it works way better then it was. The pop-ups on the iPhone are gone after the latest update.

Mic92 commented 3 years ago

Where do you plug that email sieve in. Is it email settings in Apple?

No, my very own email server. Most other providers come with some mail filters so, even if it is not sieve - you can take it for inspiration.

Mic92 commented 3 years ago

At my installation (2021.2.2) it starts with an error in the log. 2021-02-10 16:40:27 ERROR (SyncWorker_8) [pyicloud.base] Authentication required for Account. (421)

The integration is still working so I don’t know where the error comes from. After the error I receive two emails half an hour after each other.

but it works way better then it was. The pop-ups on the iPhone are gone after the latest update.

I also had a problem to login in until I deleted .storage/icloud in my home-assistant directory, which is /var/lib/hass on my stystem.

Mic92 commented 3 years ago

I would suggest to keep this open until a better upstream solution in icloud is found. Otherwise people will open the same issue over and over again.

RSDynamics commented 3 years ago

At my installation (2021.2.2) it starts with an error in the log.

2021-02-10 16:40:27 ERROR (SyncWorker_8) [pyicloud.base] Authentication required for Account. (421)

The integration is still working so I don’t know where the error comes from.

After the error I receive two emails half an hour after each other.

but it works way better then it was. The pop-ups on the iPhone are gone after the latest update.

I also had a problem to login in until I deleted .storage/icloud in my home-assistant directory, which is /var/lib/hass on my stystem.

I deleted the iCloud folder before the installation of the integration but I can try that again.

Mic92 commented 3 years ago

I also had a problem to login in until I deleted .storage/icloud in my home-assistant directory, which is /var/lib/hass on my stystem.

I deleted the iCloud folder before the installation of the integration but I can try that again.

Not sure if that is the reason, but could it be that you don't have two factor authentication enabled?

Mic92 commented 3 years ago

Where do you plug that email sieve in. Is it email settings in Apple?

A different work around is two create a new icloud id and invite your other account via family sharing. This is what I am doing.

RSDynamics commented 3 years ago

I also had a problem to login in until I deleted .storage/icloud in my home-assistant directory, which is /var/lib/hass on my stystem.

I deleted the iCloud folder before the installation of the integration but I can try that again.

Not sure if that is the reason, but could it be that you don't have two factor authentication enabled?

The two factor is enabled. When I logon on a new machine. I always have to verify. Also on the HomeAssistant when installing the integration. So that all seems to work great.

FostWare commented 3 years ago

Additionally, it also produces these 'login notification' emails when configured with an 'application password' created on the appleid.apple.com website. These are specifically designed for systems that cannot handle the need for AppleID 2FA.

Mic92 commented 3 years ago

Right the underlying library does not support application passwords. This is a known issue.

Vip0r commented 3 years ago

same here.

@Mic92 : Do you know if there are some work currently to enable the underlying library using app passwords?

Within the icloud settings it seems also not possible to disable those security warnings in general :(

Mic92 commented 3 years ago

same here.

@Mic92 : Do you know if there are some work currently to enable the underlying library using app passwords?

I am not involved in development but it does not seems like it.

Within the icloud settings it seems also not possible to disable those security warnings in general :(

awooganl commented 3 years ago

Was hoping this was resolved with the last update, but the emails just keep on getting in.

maddox commented 3 years ago

Ignoring the email or making a rule to put it in the trash is a huge security issue. These emails exist to notify you that someone has logged in.

That being said, it looks like I’m getting 2fa requests on my phone again, just like the issue that had us turn this component off many months ago.

xhe9 commented 3 years ago

Dude it sucks but log into another ios device to recover even if it's a different server or ip it will or should work atleast smh

ajboelen commented 3 years ago

There is a rather easy solution.... see ChipWolf's message. It is a smart workaround to create an app-specific password that fits the apple API. I used this method and received no mails and or messages since, and all family phones and watches are visible in HAS.

gedger commented 3 years ago

For info the ChipWolf's solution of appending an app-specific password doesn't solve the problem for me.

frenck commented 3 years ago

I've added this integration a couple of days ago, and it keep sending emails indeed. IMHO this is a security concern and this should not be happening.

Considering we have recently added discovery for this integration, I'll go ahead and remove this discovery. IMHO, we should not recommend using this integration until this is resolved.

gedger commented 3 years ago

I had had a scan of the open issues on the picklepete/pyicloud library and there doesn't appear to be any open issue related specifically to this problem. If no other users of the library see it as an issue is it the way HA is using it or should HA raise a new issue against the library?

Fofer commented 3 years ago

Ignoring the email or making a rule to put it in the trash is a huge security issue. These emails exist to notify you that someone has logged in.

Indeed. And as the emails are vague (no device or location info) they're an added layer of aggravation. When I first got these, I was confused and semi-alarmed, so I quickly changed my AppleID password, and updated all of my devices, only to later figure out that there was no rogue login, it was from this Home Assistant integration.

The emails were coming in about twice a day, usually at night, and usually a half hour apart.

Even worse, merely disabling this integration didn't curtail the emails for me. I had to delete the entire integration, and for good measure, delete the .storage/iCloud directory, and reboot the Pi with Home Assistant, for them to stop. For now at least...?

Why doesn't disabling this integration stop the iCloud logins?

hamdanfadi commented 3 years ago

I have the same issue, however this cause me an issue for me when I try to login to iCloud from any device connected to the same network. When I removed iCloud integration, everything works fine.

hamdanfadi commented 3 years ago

BTW, I tried to create an APP-SPECIFIC PASSWORDS didn't work. This might resolve this issue

meminens commented 3 years ago

Just wanted to report that I have this issue as well. A few emails every day.

maxibick commented 3 years ago

Issue still exists. In my case the amount of notification mails increases when I use the app specific password instead the 2FA method..

hamdanfadi commented 3 years ago

2FA method never work for me! The issue these logins attempts consider by apple as specious!


From: Max @.> Sent: Tuesday, 5 October 2021 7:04 PM To: home-assistant/core @.> Cc: Fadi Hamdan @.>; Comment @.> Subject: Re: [home-assistant/core] iCloud continual emails (#46308)

Issue still exists. In my case the amount of notification mails increases when I use the app specific password instead the 2FA method..

- You are receiving this because you commented. Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fhome-assistant%2Fcore%2Fissues%2F46308%23issuecomment-934094069&data=04%7C01%7C%7Cff4494bb93a84b55fc9108d987c608ad%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637690106876896513%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=miGVNp5EztKkiI7oR%2B9oy3JK67rwpt3afJXG6YkT77M%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALINWF2AY7RSWVYNUAUYNMDUFKIP5ANCNFSM4XMIUCKQ&data=04%7C01%7C%7Cff4494bb93a84b55fc9108d987c608ad%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637690106876906513%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=L3wFPLoymiGtVySVRdwvTIiGV%2BOgAteYmjohm8IXc0o%3D&reserved=0.

OMGTheCloud commented 3 years ago

+1 this issue. I too did the emergency password change when I suspected my account was compromised.

roens commented 2 years ago

I too face this issue. And wholly agree that just ignoring (filtering away; deleting) the emails is a significant security issue. Apple sends the alert emails for a reason: if someone inappropriately has the ability to auth into my iCloud account, I totally want to know.

The problem seems to be a lack of setting that the client is "trusted" from an initial authentication. (Could be acquired when setting up the integration?) And from perusing the picklepete/pyicloud package, it appears this is something they've fixed back at v0.7.3. Maybe this is just a lack of setting that the integration is api.is_trusted_session?

gedger commented 2 years ago

I've been having the same issue and have stopped using the plugin. I would like to understand whether this Is an issue being faced by everyone with 2FA and the majority of people are choosing to ignore the warning emails? Or is this only effecting a few individuals. The developers have closed the issue so nothing is being investigated which indicates there is no problem. I asked for the HA documentation to be undated with a warning that these message will (could?) happen so at least it would be clear, but it's still unclear. Shame really, as this is a useful plugin but is unusable for me in it's current form.

hamdanfadi commented 2 years ago

I too face this issue. And wholly agree that just ignoring (filtering away; deleting) the emails is a significant security issue. Apple sends the alert emails for a reason: if someone inappropriately has the ability to auth into my iCloud account, I totally want to know.

The problem seems to be a lack of setting that the client is "trusted" from an initial authentication. (Could be acquired when setting up the integration?) And from perusing the picklepete/pyicloud package, it appears this is something they've fixed back at v0.7.3. Maybe this is just a lack of setting that the integration is api.is_trusted_session?

Can you please explain more? What I should do to stop this issue?

roens commented 2 years ago

I too face this issue. And wholly agree that just ignoring (filtering away; deleting) the emails is a significant security issue. Apple sends the alert emails for a reason: if someone inappropriately has the ability to auth into my iCloud account, I totally want to know. The problem seems to be a lack of setting that the client is "trusted" from an initial authentication. (Could be acquired when setting up the integration?) And from perusing the picklepete/pyicloud package, it appears this is something they've fixed back at v0.7.3. Maybe this is just a lack of setting that the integration is api.is_trusted_session?

Can you please explain more? What I should do to stop this issue?

Knowing that other iCloud client authentications tend to have a "trust this" setting, I went looking into the module you're using here: picklepete/pyicloud. What I found is that this package/module has a similar capability of storing a token when performing authentication. It appears to be the api.is_trusted_session, and its use is described in the repo's README.

Being able to store a token when authenticating to iCloud allows the client to re-authenticate (re-connect) later, without triggering iCloud's notification to the account owner of a "new (unknown) connection".

I hope this helps. If I were better versed in Python, I might attempt the fix myself.

hamdanfadi commented 2 years ago

Hi Mario, Thanks for your help. I’m wondering where I can find those config files? I couldn’t find them!

Cheers,

From: Mario Murphy @.> Date: Monday, 3 January 2022 at 12:25 PM To: home-assistant/core @.> Cc: Fadi Hamdan @.>, Comment @.> Subject: Re: [home-assistant/core] iCloud continual emails (#46308)

Knowing that other iCloud client authentications tend to have a "trust this" setting, I went looking into the module you're using here: picklepete/pyicloud. What I found is that this package/module has a similar capability of storing a token when performing authentication. It appears to be the api.is_trusted_session, and its use is described in the repo's READMEhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fpicklepete%2Fpyicloud%2Fblob%2Fmaster%2FREADME.rst%23two-step-and-two-factor-authentication-2sa2fa&data=04%7C01%7C%7C8f230d0f2692450ccc5008d9ce4717d0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637767627003897563%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=eKKvEc3rtPRjuramXsDDeU8o3eMsQ%2FJ9Lfpx7mICTsQ%3D&reserved=0.

Being able to store a token when authenticating to iCloud allows the client to re-authenticate (re-connect) later, without triggering iCloud's notification to the account owner of a "new (unknown) connection".

I hope this helps. If I were better versed in Python, I might attempt the fix myself.

— Reply to this email directly, view it on GitHubhttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fhome-assistant%2Fcore%2Fissues%2F46308%23issuecomment-1003794300&data=04%7C01%7C%7C8f230d0f2692450ccc5008d9ce4717d0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637767627003897563%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XIPtTadnnS0B1ae2fP06v5f%2FUOh77oDDE4RAeIziZks%3D&reserved=0, or unsubscribehttps://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FALINWF2OAWCJCILK64Y5COLUUDNEVANCNFSM4XMIUCKQ&data=04%7C01%7C%7C8f230d0f2692450ccc5008d9ce4717d0%7C84df9e7fe9f640afb435aaaaaaaaaaaa%7C1%7C0%7C637767627003897563%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3rTbSIFUpzGuu%2F%2FaQa2nGxY%2BgeN9qAp9DoCBXSoZIFc%3D&reserved=0. You are receiving this because you commented.Message ID: @.***>

HVR88 commented 2 years ago

Is this possibly the issue causing these emails?

https://github.com/picklepete/pyicloud/issues/224

github-actions[bot] commented 2 years ago

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

ShadowRep commented 2 years ago

Issue still exists.

HAIM359 commented 2 years ago

I confirm, issue still exists…

abdul2000 commented 2 years ago

Issue still exists and now it is causing continual warning from Apple about possible security breach. I think the authentication needs to be looked at again and implemented properly.

as-spaargaren commented 2 years ago

Issue still exists.

What is version of Home Assistant Core has the issue? Frontend-versie: 20220707.1 - latest

What was the last working version of Home Assistant Core? None, integration istalled 2 days ago.

What type of installation are you running? Home Assistant Docker on Synology DSM

Integration causing the issue iCloud

danb35 commented 2 years ago

I've been using HA with the iCloud integration for about a month now, and the email issue has been constant during that time, about once a day. But starting today, about every hour or so, every device that's signed into my iCloud account is getting a popup about a new device trying to sign in. When I click "Allow", I get a six-digit code to enter to authorize it--but I don't see anywhere in HA to enter that code. So I click the "Done" button on the window with that code, and I get the same popup in about an hour.

I'm running HA Core 2022.10.3 on HAOS 9.2.

The emails were annoying and a security risk, but the popups are making this nearly unusable.

marcelheinrichs commented 2 years ago

Same problem at my side like dan35 wrote. Here my details:

Home Assistant 2022.10.1 Supervisor 2022.10.0 Operating System 9.0 Frontend 20221006.0 - latest

memesalot commented 2 years ago

Issue still exists

Manantra commented 2 years ago

issue still there for me

LuisPalacios commented 1 year ago

Same issue here.

Home Assistant 2022.12.1 Supervisor 2022.11.2 Operating System 9.3 Frontend 20221208.0 - latest

I've been using HA with the iCloud integration for aprox 1,5 months now, and the email issue has been constant during that time, about once or twice a day.

metawops commented 1 year ago

same problem here. 🤷‍♂️ Considering not using this integration ... 😞

exSnake commented 1 year ago

We can't just ignore security emails from Apple, it's not a fix at all because we didn't have any info from icloud that could be the integration to log in or someone else. Issue is still there i just disable the integration.

memesalot commented 1 year ago

This should be somewhere up near the top of the list of things to fix for 2023...