EDIT: I changed the title of the post from "find.hubitat.com redirects to getstarted.hubitat.com and allows anyone to become and admin and take over the hub" to the current title for anyone that might be confused reading this later.
When I go to find.hubitat.com it redirects me to getstarted.hubitat.com. From there I click through to step 4 to find my hub. When I click on my hub it takes me to http://<ip_address_here>/getstarted. In the get started I am able to rename the hub and register the hub to a new email account. After walking through the steps. I went into my the hub settings > hub details, and I see that the hub has a new name and 2 email addresses as admin on it.
Once I have registered the second email as an admin I am now able to go into My Hubitat and remove the original admin and disable the "hub login security".
This seems like a big vulnerability where anyone can take over a hub.
I expect it's designed so you have to be on the same LAN but if someone had managed to hack into that or you had an annoying house guest then trouble could ensue
This change does not pose any security threats, as if the user is not on the local network, no hubs are discovered on step 4 of the "Getting Started" workflow, after selecting "Find Hubs".
For those who may have bookmarked find.hubitat.com as the easy way to discover hubs on the local network, please visit findmyhub.hubitat.com, instead.
Being able to register myself as a new admin is still a big vulnerability. Anyone that has access to the hub's IP address can easily take over a hub. Your update relies on current customers and future customers to have knowledge of this issue and have the ability to isolate the hub in its own network. A lot of us don't have the capability to create VLANs to put the hubitat on a different network.
Even if we created a VLAN for IoT devices, one of those devices could be a bad actor, either by getting hijacked or intentionally bad from the start, then take over the hubitat hub locking us out. The only true way to solve this issue currently is to have the hubitat be the only thing in its own network.
There is another way, that our developers are looking into it, and that is, to skip the get started if the hub is already registered. Thanks for bringing this up to our attention. You have a valid point.
The hub knows if it has been registered, so I hope they just turn off the /getstarted page in this case to avoid this issue.
Of course, anyone on your local network can go to :8081 and reset your hub (since :8081 has effectively no security if you are on the same physical network). Then they'd be able to use /getstarted I suspect.
(basically: don't allow anyone you don't completely trust on your local network; e.g., use guest WiFi access)
Thanks for showing me the 8081 port for the hub. I was playing around and it looks like most of the buttons in there require the user to know the mac address. Is there a way to take over the device using 8081 page that I'm not seeing?
If you are on the same physical network as the hub, you easily find it's MAC address. Just use the "arp" command ("arp -a" on Windows, Linux, MacOS, etc) after you've connected to it.
Getting started logic has been tweaked in 2.3.1.132 release to prevent double registering the hub, among other things. During normal operation (unless the hub is soft reset), /getstarted will forward to the home page.