martijnpoppen / com.synology.ss

Synology Surveillance Station 2 app for Homey
GNU General Public License v3.0
2 stars 2 forks source link

Unsecure connection with Synology #8

Closed thezahir1 closed 3 years ago

thezahir1 commented 4 years ago

This app connects to the Synology by sending username and password in plain text in the URL query string. Seems highly unsecure! Quite vulnerable, if you ask me.

marcschut002 commented 4 years ago

Hi @thezahir1 , I use Synology's own APi guidelines. ( https://global.download.synology.com/download/Document/Software/DeveloperGuide/Package/SurveillanceStation/All/enu/Surveillance_Station_Web_API.pdf ) Why is that insecure?

thezahir1 commented 4 years ago

Vulnerable to man in the middle attacks. Also, who guarantees that your app isn't storing these credentials somewhere? Not everyone will be skilled to code review your app. Quite strange indeed that these are apparently Syno's own guidelines. What kind of security policy is that,for a well-known IT brand as Synology. At least they should be using OAuth or a API key technique.

marcschut002 commented 4 years ago

I understand the man in the middle attack and when you connect your device via 'http' the risk is even higher. I hope that most people that have a Synology realise that. The only thing I can do to make the security a little better is to try to POST the login data instead of doing a GET. ( thought I have tried that before, but I will try it again). When you pair your device this is the only place when the credentials are validating by your NAS and when it's ok the app gets a token in return. This token is valid until the NAS is restarted. (after a restart you have to 'repair' your device on the Homey). Again, the app does not save the credentials (only the token). I know many people don't believe developers so Homey has a validation/certification process for apps before any app gets published. They can see the source code that gets published and gives the ok before it is published. When Synology supports OAuth I am the first one to implement it, but that not yet the case. If you have another solution please let me know.

thezahir1 commented 4 years ago

hi @marcschut002 post instead of get certainly sounds like a good start (if possible indeed). I am not doubting your sincere intentions but from the user's standpoint, you will probably understand how unsafe it looks when seeing both your username and password to your NAS (and therefore personal content) in plain text displayed in someone else's app. Certainly not according to today's standard. Happy to see you're working on it though!

marcschut002 commented 3 years ago

I will close this issue sinds there is nothing I can do at this moment to improve this. When Synology support OAuth the right way I will implement this.