The Market Ticker
Rss Icon RSS available
You are not signed on; if you are a visitor please register for a free account!
The Market Ticker Single Post Display (Show in context)
User: Not logged on
Top Login FAQ Register Clear Cookie
User Info And This Is Why....; entered at 2018-05-15 12:22:56
Tickerguy
Posts: 152881
Registered: 2007-06-26
The outrageous stupidity of this sort of thing astounds me.

When you revoke someone's privileges you often need to do it RIGHT NOW. And incidentally this implies that the app is doing some sort of authentication token caching and not re-validating it on each request, which is ridiculously stupid.

I can see where if you have a valid, CURRENT session to the camera AT THE MOMENT THE ACCESS IS REVOKED it remains valid until closed, because most of these devices use RTSP or similar.

But for that to be cached somewhere (either in the cloud or the app itself) means there's something far more serious going on here that's not immediately obvious -- like the camera ITSELF is not secure AT ALL.

HomeDaemon's app doesn't store the login or password at all, anywhere. It's sent to the server when you sign on and the server (if it likes the credentials and validates them against a hashed password) returns a very long, randomly generated token (cookie.) The app caches THAT. When a command is sent whether it's something to do or a monitoring session request that cookie (or a new authentication set) has to be presented. Each "session" is short in duration (monitoring sessions are 90 seconds if the phone is locked, just looking for changes, and up to 5 minutes if the screen is on, since it's more-efficient if you're active to leave the stream up), the duration is enforced by the server (NOT the client!) and if the cookie is revoked (because you killed the account or changed the password) then as soon as the current "thing" is over you can't re-authenticate because the token isn't valid any more. As the server-side owner YOU choose how paranoid you wish to be (how long those tokens are valid for) at which point you MUST re-enter your credentials because the SERVER wipes the randomly-generated entry it is holding in RAM on whatever interval you have set.

It's pure LAZINESS to not do this sort of thing right. My 30-second guess is that they're doing a lazy cloud-sync of authentication credentials which is both outrageously insecure in the first instance AND leads to this problem.

Last modified: 2018-05-15 12:24:58 by tickerguy

2018-05-15 12:22:56