Meross Cloud Credentials saved in plain text

[mwalterskirchen]

Describe the bug
The integration saved the credentials for authenticating with the meross cloud in plain text in /config/.storage/core.config_entries

Your environment
HomeAssistant version: 2024.3.0.dev0
Hardware environment: Mac OSX Sonoma 14.2.1

Logs taken when the issue happened

{
        "entry_id": "f5755df6bdb86f04a66392457b11ca77",
        "version": 1,
        "minor_version": 1,
        "domain": "meross_cloud",
        "title": "https://iot.meross.com",
        "data": {
          "username": "--REDACTED--",
          "password": "homeassistant_iot",
          "http_api_endpoint": "https://iot.meross.com",
          "override_mqtt_endpoint": null,
          "stored_credentials": {
            "domain": "https://iotx-us.meross.com",
            "mqtt_domain": [
              "mqtt-us.meross.com"
            ],
            "token": "--REDACTED--",
            "key": "4572ec9267d62a00e5a1face072e6a07",
            "user_id": "--REDACTED--",
            "user_email": "--REDACTED--",
            "issued_on": "2024-02-07T14:52:27.962865",
            "mfa_lock_expire": 0
          },
          "skip_mqtt_cert_validation": true
        },
        "options": {},
        "pref_disable_new_entities": false,
        "pref_disable_polling": false,
        "source": "user",
        "unique_id": "https://iot.meross.com",
        "disabled_by": null
      }

[albertogeniola]

Hi @mwalterskirchen ,

That's intended. In order to keep your session up and running across reboots of HomeAssistant, the Meross integration needs to keep an access token stored locally, as the meross app does. Encrypting the credentials would require an encryption key to be stored somewhere: again that would just shift the problem, as we would store the encryption key for decrypting the credentials.

Most of the HomeAssistant components store credentials this way. The point is that nobody except admins should be ever able to access the SSH console or the SD contents of the HA directory.

In any case, we are not storing your user's password, but just the issued token (this is how browsers and apps work) in order to improve the security (you should not be able to do major account changes with only the token, you'll need the actual user's password)

[mwalterskirchen]

Hi @albertogeniola,
Thanks for getting back to me and clarifying your point of view! 🙌🏻
But my user password iot_homeassistant is saved in clear text in the config file. This would best be avoided by just using a token all together and never saving the user password but rather just the token. This way IF a potential attacker were to get access to the HA directory somehow they could only abuse one service and not potentially obtain a clear text password that users tend to reuse across applications.

[albertogeniola]

Hi @mwalterskirchen ,
my mistake, I was wrong. You are right, the current version of this component is storing the user's password.
Now that I think about it, I remember this was necessary as the token did not report its expiration timestamp, so it was hard to say when it would have expired. Nor it was possible to renew it without user-password combination.

However, that was long time ago, so it might be the right time to get back to the Meross Engineering team to get info about the token expiration and see if we can store only the token instead of email-password combination.

I'll mark this discussion as feature request to improve the overall security of this component.

Thanks for the spot!

[albertogeniola]

Hi @mwalterskirchen ,
I got back to the Meross Engineers. It looks like the token expiration is handled on their side: every time you use the same token, its expiration is extended. This means that we can assume the token never expires, if the HA system is kept running and connected to the Internet. Therefore, I performed the necessary changes to the library and to the component so that user/password credentials are no longer stored. Instead, we just use the token.

I've released a beta version for you to try it out: v1.3.1beta1. Would you please try it and provide some feedback?
Please note: you need to completely remove the integration, restart HA, then install the new integration. In this way, the previous stored info is wiped away and username/password won't be there any longer.

[albertogeniola]

Fixed in v1.3.1. Closing!