Announcement

Collapse
No announcement yet.

Web/HSTouch User created without my knowing

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Web/HSTouch User created without my knowing

    I was investigating an other problem I have and I found a user created in my list that I didn't put there...

    bbergstrom9@comcast.net with all rights. Does anyone know if a plugin could have done this?
    I googled this email adres but nothing comes up.

    The only plugin that not from the store is Log2Splunk
    Also the "Enable remote access through MyHS service" was checked. I know for sure that I unchecked this 1 year ago when I installed Homeseer...

    I'm a bit worried that someone has acces over my system.
    The "Log Remote Logins" is checked and I can't find anything in the logs files that might indicate remote logins with that user account.

    Is it possible that even though I don't have a MyHS Service account that someone can use their account to use one my Homeseer?
    And that someone logged in from MyHS service without it being logged

    #2
    This was an issue that was supposed to be fixed months ago. I would recommend putting in a ticket at support@homeseer.com so it can be investigated.
    💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

    Comment


      #3
      Originally posted by Rupp View Post
      This was an issue that was supposed to be fixed months ago. I would recommend putting in a ticket at support@homeseer.com so it can be investigated.
      Do you have the bug report for that issue or can you explain?

      Comment


        #4
        What version are you running? This was reported and, I suppose, fixed, since this is the first report I have seen in quite some time...
        HomeSeer Version: HS4 Pro Edition 4.2.19.0 (Windows - Running as a Service)
        Home Assistant 2024.3
        Operating System: Microsoft Windows 11 Pro - Desktop
        Z-Wave Devices via two Z-Net G3s
        Zigbee Devices via RaspBee on RPi 3b+
        WiFi Devices via Internal Router.

        Enabled Plug-Ins
        AK GoogleCalendar 4.0.4.16,AK HomeAssistant 4.0.1.23,AK SmartDevice 4.0.5.1,AK Weather 4.0.5.181,AmbientWeather 3.0.1.9,Big6 3.44.0.0,BLBackup 2.0.64.0,BLGData 3.0.55.0,BLLock 3.0.39.0,BLUPS 2.0.26.0,Device History 4.5.1.1,EasyTrigger 3.0.0.76,Harmony Hub 4.0.14.0,HSBuddy 4.51.303.0,JowiHue 4.1.4.0,LG ThinQ 4.0.26.0,ONVIF Events 1.0.0.5,SDJ-Health 3.1.1.9,TPLinkSmartHome4 2022.12.30.0,UltraCID3 3.0.6681.34300,Z-Wave 4.1.3.0

        Comment


          #5
          Originally posted by ewkearns View Post
          What version are you running? This was reported and, I suppose, fixed, since this is the first report I have seen in quite some time...
          I'm running HomeSeer Version: HS3 Pro Edition 3.0.0.318 on Debian

          Edit -
          I see this line in the changeling
          * Added a setting to disable the auto creation of user accounts when logging in using HSTouch through MyHS (also logs when this happens)

          What does this mean? I never created a MyHS account but still I see this new email adres. Does this mean this person had acces to my Homeseer Server?
          Last edited by alan_smithee; November 2, 2017, 08:00 AM.

          Comment


            #6
            I think this issue was fixed in .312.... so, if you have any suspicion that this user was created after that update, I'd follow Rupp's advice and open a ticket ASAP.....
            Last edited by ewkearns; November 2, 2017, 08:33 AM. Reason: Poor spelling.
            HomeSeer Version: HS4 Pro Edition 4.2.19.0 (Windows - Running as a Service)
            Home Assistant 2024.3
            Operating System: Microsoft Windows 11 Pro - Desktop
            Z-Wave Devices via two Z-Net G3s
            Zigbee Devices via RaspBee on RPi 3b+
            WiFi Devices via Internal Router.

            Enabled Plug-Ins
            AK GoogleCalendar 4.0.4.16,AK HomeAssistant 4.0.1.23,AK SmartDevice 4.0.5.1,AK Weather 4.0.5.181,AmbientWeather 3.0.1.9,Big6 3.44.0.0,BLBackup 2.0.64.0,BLGData 3.0.55.0,BLLock 3.0.39.0,BLUPS 2.0.26.0,Device History 4.5.1.1,EasyTrigger 3.0.0.76,Harmony Hub 4.0.14.0,HSBuddy 4.51.303.0,JowiHue 4.1.4.0,LG ThinQ 4.0.26.0,ONVIF Events 1.0.0.5,SDJ-Health 3.1.1.9,TPLinkSmartHome4 2022.12.30.0,UltraCID3 3.0.6681.34300,Z-Wave 4.1.3.0

            Comment


              #7
              You need to update to a later version. I don't think this was fixed until the .34x software.

              Comment


                #8
                I don't know when this user was created, I never look at that tab....
                I've just updated the Server, put the all outgoing connections to a deny on the firewall.

                Shitty part is that I see that the updates doesn't just has one dns entry but makes a connection to different server so I have to make an exception for each one.

                Code:
                http://gaintechsolutions.com/updates3/updates.txt
                http://bladeplugins.no-ip.org/plugins/Homeseer3/BL1Wire/updates.txt
                http://homeseer.dyndns-remote.com:8765/Homeseer3/Arduino/Updater/updater_override.txt
                http://automatedhomeonline.com/HomeSeer3/hspi_ultralighting3_updater.txt
                http://www.highpeak.co.za/updates3/Modbus_UPDATER.txt
                http://donmor.ca/HS_Plugin/QS/updates.txt
                http://homeseer.du-pre.com/HS3/LimitlessLED3/updater.txt
                https://dl.dropboxusercontent.com/s/px1kzwqkzc0jbov/updater.txt
                http://home.indigozest.net/FTP/HomeSeer3/izKNX/UpdaterFTP.txt
                http://download.dedroog.com/hs3/A10/updater.txt
                What suprises me is that this is a pretty serious issue and Homeseer should have send a warning e-mail about this....

                I just created a Myhs account and the only thing it needs to connect to my homeseer is a username and password (that's really simple) that homeseer send me when I bought te product.

                I'll open a ticket and ask if anyone else has added my Homeseer server to a MyHS service.

                Comment


                  #9
                  My understanding is that the multiple URL issue you have is currently being resolved..... and I *think* I received a heads-up on the login issue....
                  HomeSeer Version: HS4 Pro Edition 4.2.19.0 (Windows - Running as a Service)
                  Home Assistant 2024.3
                  Operating System: Microsoft Windows 11 Pro - Desktop
                  Z-Wave Devices via two Z-Net G3s
                  Zigbee Devices via RaspBee on RPi 3b+
                  WiFi Devices via Internal Router.

                  Enabled Plug-Ins
                  AK GoogleCalendar 4.0.4.16,AK HomeAssistant 4.0.1.23,AK SmartDevice 4.0.5.1,AK Weather 4.0.5.181,AmbientWeather 3.0.1.9,Big6 3.44.0.0,BLBackup 2.0.64.0,BLGData 3.0.55.0,BLLock 3.0.39.0,BLUPS 2.0.26.0,Device History 4.5.1.1,EasyTrigger 3.0.0.76,Harmony Hub 4.0.14.0,HSBuddy 4.51.303.0,JowiHue 4.1.4.0,LG ThinQ 4.0.26.0,ONVIF Events 1.0.0.5,SDJ-Health 3.1.1.9,TPLinkSmartHome4 2022.12.30.0,UltraCID3 3.0.6681.34300,Z-Wave 4.1.3.0

                  Comment


                    #10
                    Well I just created 30 objects (most fqdn) for the homeseer updater on my firewall.
                    Changed most passwords that were send as plain text in my subnet.
                    And went through 1 year of logging to see if there was a connection being made outside my vpn/local subnet.

                    Opened a ticket at Homeseer. They say that nobody tried to use my license ID on MyHS. Still wondering how that account came there. I hope they can find something with the email adres bbergstrom9@comcast.net

                    Comment

                    Working...
                    X