Disclosed - Lifx Security Issue


I love my Lifx Bulbs. They're a quick and easy way to retrofit Internet connected goodies into a smart-home.

One of the best things about them is their open API. Sure, you can use IFTTT if you want something easy - but us 1337 hax0rs want an API and Lifx provides it.

The API is pretty secure - good use of OAuth and tokens to make sure whatever you're building is resistant to infiltration. I mean, imagine if someone hacked your lightbulbs and ... err... switched off the light while you were reading. That'd be dreadful!

As I was wandering through the developer documentation, I noticed that there was a prominent login form. The pages were not served over HTTPS, and the form was similarly submitting to an insecure page. Typing in "https" before the URL showed a mismatched certificate error.

Not a great user experience - and a good way for customers to have their passwords intercepted.

24th April 2016

I took a quick note of my findings and used Lifx's contact form to alert them.

The URLs http://api.developer.lifx.com/ and http://lan.developer.lifx.com/ ask developers for their email address and password.

The site is NOT served over httpS. If a user tries to manually force it to https, they get a mismatched certificate error.

If a developer is on an insecure connection, this could cause their credentials to leak.

Can I strongly urge you to fix the certificates on the site and to reset the passwords of any user who has been affected.

27th April

I received this very positive note back from one of their engineers.

Thank you for reporting this issue to us. At LIFX we take our users and developers security extremely seriously. Here we clearly dropped the ball, and we need to be better.

Today I obtained certificates, sent them to our provider and set the documentation sites to enforce SSL. Finally I also changed most links to link to the SSL version of the site by default. We will be internally discussing how to best inform anyone affected.

Again thank you for your time finding and reporting this vulnerability to us. Your efforts have made us all more secure.

That's a pretty good response time for a company - especially given the timezone differences.

Conclusions

I checked, and the sites are now securely behind https.

It appears that the "log in" form is actually to log in to the ReadMe.IO documentation service. I would expect that most developers would see "Log In" and use their Lifx credentials. This means that ReadMe.IO (who I'm sure are honourable people) may inadvertently be receiving usernames and passwords for an entirely different service.

If you've previously clicked that Log In button, it would be sensible to reset your password and revoke and OAuth tokens you may have generated.

If you run a website, think hard about which login prompts you display - and whether tired developers are likely to make mistakes.

Bounty!

I obviously wasn't expecting a million dollar payout - but was pleasantly surprised to receive a clutch of new bulbs as a thank you gift.
Lifx Bug Bounty - 6 brand new bulbs
Anyway, here's me casting a spell on one of my bulbs.

Read more on my GitHub repo.

What do you reckon?