We wanted to share a serious security concern that has been recently identified by one of our community users with the current design of the Hubitat Dashboard app.
Aaron 'theHastyOne' Hasty of Ostrich Lab first reported the issue on Aug 15 at 6:38 PM. Here is a summary of the issue discovered:
The current design of the Hubitat Dashboard app allows for broad privilege escalation and disclosure of devices connected to this smarthome hub. With a link to a single dashboard (even one with no devices associated with it) a user can control any and all devices associtated with the hub, retieve base64 encoded PIN numbers that are associated with the hubs Hubitat Safety Monitor app (alarm system), and enumerate device names that are related to other dashboards that have cloud access specifically disabled.
Our engineers confirmed the issue and a fix was first released to the beta channel on Aug 21 at 2:47 PM.
Today we are releasing the fix publicly and urge everyone using the Hubitat Dashboards to update their hub to the latest version: 2.4.2.157
Thanks again to @Hasty1 for responsibly bringing this to light!
