#HA Cloud hacked?

Hey there, I raised an issue here:
https://discord.com/channels/330944238910963714/1308060249286250508

But I also saw something here as well:
https://discord.com/channels/330944238910963714/1307804764557283398

From what I can see, the HA Cloud routes under localhost IPs, i.e. (127.0.0.1) but my concern is the paths are very random, so how has someone figured it out? Has there been some kind of leak that has given away our URLs?

Just want to check and understand because it feels weird that a very random and complex string of characters and numbers and someone has somehow found that and started hitting both myself AND someone else?

What are you running HA on and what install type (Container, HAOS, Supervised)?

I am running HA via HAOS on a raspberry pi, I yesterday at around 8:30pm UK time, I got multiple failed requests, at exactly the same time as the other person in this thread.

I checked the request via my HA cloud URL endpoint, and the HA install notes the request from 127.0.0.1 see log:

2024-11-18 13:52:30.112 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from localhost (127.0.0.1). Requested URL: '/media/test123/.git/config'. (Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36)

This was me from a browser using my HACloud endpoint.

^

Yeah, that looks like "something" is probing.

Open a ticket with NC and see if they can find something on their end.

TBH, the nabu.casa domain can be scanned and potentially probed.

Has there been some kind of leak that has given away our URLs?
The domain name is totally public knowledge

There's lots of people who don't have a clue who claim that your NC domain name is somehow "secret", but it's not

I think they assume that looks random == secret

Security by obfuscation... (never works)

Well... it can help, sometimes... but if it's public knowledge it's not going to help

(I self host, and I use a random port that gets about one probe a year on average - the stuff I run on common ports gets lots of probes every hour)

Well this is my concern, I appreciate that the paths are public knowledge, and all, but I still find it weird, it's not like the sub-domain is "announced" I assume they use a wildcard NS record, so it's more how have they even found it, which is my concern, of course this could of been someone else's who posted this address somewhere but again, okay it happened once, weird it happened twice to another person as well.

I do agree it definitely looks like someone is probing it.

How do you even raise a ticket with NC? via their little popup?

They find it by looking at the list of SSL certificates issued

https://www.nabucasa.com/support/ (Yeah, the support widget)

NC don't use a wildcard

Ahh okay, gotcha.