How I Found a New Vulnerability in a Popular Home Automation App

Oriel Goel

28.01.21 12 min

In this article, I will detail how an attacker using a low-complexity exploit can enumerate and view files remotely on a popular home automation web-app. This can be performed without authentication by exploiting a new Directory-Traversal vulnerability I found (CVE-2021–3152).

Target Application: Home Assistant & HACS

The web-application I researched is called “Home Assistant”, which is an “Open-source home automation that puts local control and privacy first”. More specifically the popular custom integration in which I discovered the new vulnerability is called “Home Assistant Community Store”. HACS “is an integration that gives the user a powerful UI to handle downloads of custom integrations and plugins.”

Scope and Impact

I would like to clarify that this vulnerability only affects users that have installed custom integrations in Home Assistant. But since it does not require a high skilled attacker or authentication to perform successfully, its damage potential is vast.

Discovery Methodology

I started my enumeration by running the traffic of the web-app through Burp Suite proxy until I found an interesting folder named “hacsfiles” — which is created for the HACS custom integration mentioned above.

The folder associated with the HACS custom integration. (Burp Suite)

Target Application: Home Assistant & HACS

Scope and Impact

Discovery Methodology

Read More

Defense In Depth – The Onion Way

The New World – Cloud Computing

The Importance of Protecting Privileged Accounts