search

pschroeder89 / homebridge-levoit-humidifiers

Levoit Humidifiers Plugin for Apple HomeKit via Homebridge
Apache License 2.0
70 stars 9 forks source link

Sensitive Information is not secure! #9

Closed timothymhowe closed 2 years ago

timothymhowe commented 2 years ago

Describe Your Problem: Used a set of credentials that I use only for risky security situations to set up the plugin, was concerned about submitting sensitive information to an unverified plugin. Within minutes of configuring the plugin, received email notification of attempted log ins to several other accounts tied to the email.

Unclear if this is a problem that existed when the project was forked from the LeVoir Air Purifier project, or if it's a new problem. Regardless, there appears to be a vulnerability somewhere along the line.

Environment:

pschroeder89 commented 2 years ago

Looking through the code, I'm not convinced this is happening via the plugin. The only post call made with creds is to cloud/v1/user/login.

So either you have a bad plugin / virus on your Homebridge that is key logging or submitting your conf file elsewhere, or it's coincidental.

FWIW, my account (gmail) has not gotten any login alerts / MFA requests since using this plugin or the air-purifier plugin it was based on. Here's where we make the call with creds directly to VeSync:

const response = await axios.post(
                'cloud/v1/user/login',
                {
                    email: this.email,
                    password: pwdHashed,
                    devToken: '',
                    userType: 1,
                    method: 'login',
                    token: '',
                    ...this.generateDetailBody(),
                    ...this.generateBody()
                },
                {
                    ...this.AXIOS_OPTIONS
                }
pschroeder89 commented 2 years ago

I'd also ask that you not log bugs like this unless you have proof that your data was sent from this plugin. Setting up Charles or Wireshark is simple and could show if something rogue in this plugin sent the request. I did just this and installed the plugin on a new Homebridge, logged in, and let it sit for 10 hours and haven't seen any calls to rogue IPs via Charles. Not to mention that this is an open-source plugin, so you can see exactly how it works and what requests it makes.

Giving anecdotal evidence while also saying you use this same email address for other risky situations is not helpful when writing a security bug. It also casts doubt on my work, as well as RaresAil's.