How could guest user add another admin

Had a guest user on a hub I maintain for them somehow managed to add another user as admin. Not necessarily a problem but wouldn’t think that should be possible.

Do they know the admin credentials? Could a Hubitat admin login be left open in an app on their phone or computer?

1 Like

No to both.

I see something else about this that puzzles me.

I created an account with which I signed up for Remote Admin. Then put that account on the hubs I wanted to access remotely. I was under the impression that the remote admin was tied to that account. Apparently I am mistaken on this??

Cause if another user who is listed as user on that hub logs into the my.hubitat.com they also have access to remote admin on that hub.

Guess I just want some clarification.

That is correct. The only restriction a guest currently has, is not being able to sign up for services or add another user to the hub, guest or otherwise.

Then back to my original post. How did the guest add another user, and an admin at that?

I just checked and a guest user can add another user. So again I’m confused.

Edit: I stand corrected. Even tho the buttons are there when logged in as guest I couldn’t add another user. So I’m really puzzled how that other user got added to the hub.

1 Like

Just to be safe, I deleted that second admin and put it back in as guest.

If you had two admins, they were there before my.hubitat.com was released. You were able to create additional admins before.

The hub wasn’t in service till a couple months ago. I’m trying to find out what procedure the guest user used to add the other user. Haven’t heard back yet.

1 Like

When I signed up for Remote Admin, Hubitat’s sign up process refused to let me subscribe to the service if there was more than one admin, forced me to delete all but one admin.

1 Like

Hello,

I noticed a quirk 6+ months back (that I was able to reproduce on command) to create multiple admin accounts.

I accidentally discovered this in my search to find a way to add more than one admin account. I can't recall the exact steps I used to exploit it but it was something similar to either pausing/stopping/going back during the account creation process.

I discovered it accidentally, then reproduced it. Then, I went a step further because I wanted to create multiple admin accounts (and a few extra for later down the road). I used this loophole to create like 10 copies of the admin account. At this point I thought I was pretty slick and went to try to alter them (so I could assign one to each of the members of my household) and it turns out you can't edit them lol. So I just deleted them.

I know this response doesn't help at all except for the fact that I have witnessed (with reproduceable steps) a quirk where one COULD make multiple admin accounts.

1 Like

Thanks for your feedback. We haven't seen instances like you describe since we launched my.hubitat.com. However, the only reason we restricted the cloud registration to one admin per hub is that it causes a cloud backup failure for those who sign up for Hub Protect. Other than that, there are no negative side effects to having multiple admin accounts.

2 Likes

I think one thing I see as maybe a potential problem. When I signed up for the remote admin it was initially for a hub I installed at a friends house a couple hours away. I saw it as a good solution to maintain his system. I didn't really need remote admin on my hubs and was surprised when it showed up available on my hubs.

Then I was under the impression that the remote admin was tied to an account. In other words I assumed you had to log in with the account used to set up the remote admin. But as it turns out any user, guest or otherwise, on the same hub as my account has remote admin access.

I would not do this, but I wonder how many people tell their buddys to put them on their hubs and thus can use their remote admin. Or worse yet, if someone got ahold of my email that I use they could add me as a guest user on their hub and then have free remote admin that I am paying for. And as a guest I couldn't remove myself from their hub. And I assume if they password protect the hub I couldn't get into the hub to mess them up.

Just something to think about.

I had the same confusion when I was setting up. I really thought I was just missing something obvious that was preventing me from making multiple admin accounts.

Bobby's added clarity helps now, but I think when I was a newbie trying to setup and NOT use all my newbie dumb question credits; I spent way more time on this problem than I should've.

1 Like

That is correct, initially. When you sign up for Remote Admin with one admin account, any hubs that match the admin account are automatically enabled to use the service. That's where the association with one account ends. Subsequently any users that are added to the hub as admin or guest have access to the Remote Admin. A guest cannot sign up or make changes to the cloud services, Remote Admin or Hub Protect.

Sure, but if someone got a hold of your account credentials, the implications could be far greater than someone piggy banking on your license. I would think that you'd contact us immediately, if you notice an unknown hub listed on "Registered Hubs" on my.hubitat.com.

That's true, but in that case they would also have to have my password. Email address is given out easier.

I'm not really worried about it, just making sure I understand it all.

1 Like