Security Issue that needs to be fixed ASAP!

Security Issue that needs to be fixed ASAP!!!!!!!!!!!!!!!!!

I have a Hubitat hub and have one at work and i can login to either one, with either set of credentials,

NOT a good thing

There is actually no "login" per se for either hub. The logging on is really for registering your hub. You can connect directly to your HE hub by simply browsing to the ip address. Secure login has been feature request for some time and may be implemented as some point, but for now, this is by design.

Thank you for the update

It's long been known that the initial login to Hubitat (portal.hubitat.com) is just a redirector to your local LAN IP address of the Hubitat hub. If that IP is known or scanned, hitting the hub via http://insert.hub.ip.address/ will result in full control of the hub with no further authentication (you can hit/control it without ever going to portal.hubitat.com and logging in). This really should be changed. Hopefully soon it will be otherwise as Hubitat gains in popularity/age, I think a CVE (Common Vulnerabilities and Exposures) will likely be issued regarding this.

I posted a feature request a while back for a protected login for the hub in the forum: Protected web interface?

The last update was that it's "in development"; no ETA provided. They do at least understand that this is an issue for many people. Hopefully soon. In the meantime, only let people you trust on your LAN (and obviously don't port-forward or anything for remote access), both a good idea anyway.

I agree completely with this. Though I'm rapidly trying to move to the platform, this is a major concern as it continues to be an outstanding feature request. Hopefully we'll see something soon. In the mean-time I'm going to look at putting my hub behind some other authentication device though it may prove to be challenging.

I understand that the Hub is "wide open", but it's on your local LAN, same as the rest of your home.

But I don't understand the rending....

Are there a lot of people in your home that you don't trust to leave your stuff alone? Aren't you more worried about your wallet/purse or car keys? If I get invited to any of your homes, I'm bringing my Aeon ZStick and Exclude everything I can find (jk) And because I've given you the idea, none are invited here!! (double down on the jk)

Oh wait, I get it now.. Teenagers, you've got teenagers in the house..

Teenagers + door and window monitors + browsers on their devices + wide open security on the hub. Pretty much the idea of the issue. That and my/their guests. It would be comforting to be able to maintain certain control of the environment and keep it locked down as much as possible. Preventing/reporting device exclusion should probably be next up on this list after hub authentication.

I think you need to pitch this as a service...”Amazon’s Smart Home Relocation Services”

Why would anyone be allowing guests to use their LAN???????
You should have a guest LAN they can log into which will not expose your HA to them.
I have my dashboard with a pin code as a little more protection.

Not me but I still want password protection with my HA.

Some people only have one subnet on their network, if someone plug into your hardwire they have access to your LAN, in any case it is normal for devices to be password protected, for better security.
it's a feature that I prefer to have

As said above in this thread, secure login to the hub is in development. This is non-trivial. We plan to release it once it's complete and thoroughly tested. It is a top priority.

BTW, it will be optional.

Not to throw fuel on the fire, but I'm extremely concerned with the lack of security, more importantly from the cloud URL (https://cloud.hubitat.com/api) to my dashboard. I'm not prompted for any credentials when accessing the dashboard from the internet. As long as anyone on the internet has the cloud URL for my dashboard, they'll be able to control anything my dashboard has access to, including the Z-Wave deadbolt on my front door.

Maybe I'm doing something wrong. If so, please let me know

You can set a pin per dashboard or turn off cloud access all together for each dashboard.

Ah, thanks. I missed that option.

I don't see a similar PIN option or a way to disable my information through the cloud api when I install the Maker API app. Am I overlooking it again?

There isn't an option in Maker API. This is coming in a future update to enable/disable Cloud / LAN access. Dashboards can restrict access to cloud or local and/or set a pin.

It would not make sense to do a PIN in Maker API.

The access_token is essentially a username and password for that app. That is the security. If you want to add it as a header instead of in the URL in the app you are connecting, you certainly can.