Resin.IO Logs are sent in plain HTTP over network


#1

Console logs are sent in the clear over PubNub on HTTP port 80. We consider this quite a serious security issue.

Already mentioned this on Gitter chat but replicating here to make sure that we can get notified when this is being taken care of / solved.


#3

Thank you for the report.
@petrosagg and @afitzek could you update this when progress is made? Thank you


Resin OS v2.0.0 missing for raspberry pi 3
#4

Hi @che,

We have verified the issue on our end and we’re working on fixing the issue. Thanks a lot for pointing this out, it is an embarrassing security issue that was a combination of bad defaults and negligence from our side.

We’re releasing a new version of resinOS asap with a fix. Also, we’ve patched the library upstream for the benefit of any other pubnub user https://github.com/pubnub/javascript/pull/89 and we’re also working on an action plan to fix existing devices in the field.