Iris update causes the Gillion's portal to fail
3 3

37 posts in this topic

The recent security update has caused the Gillion's wen portal to fail.  Please make your voice heard here if you want this fixed.

https://community.irisbylowes.com/t5/Solutions-Projects-How-To-and/Iris-Web-Portal-Fix/m-p/4318#M679

Share this post


Link to post
Share on other sites

I'm sorry to say that probably won't happen.  I've used the site too and it works essentially by exploiting a security weakness in Iris security (cookie harvesting) by stealing the cookie set on the browser when logging into the Iris website.  Pav's app works because it directly logs into the Iris site and doesn't relay through a 3rd party website.  I see that Iris is specifying a cookie domain (.irisbylowes.com) and is marking the cookie as secure.

Gill can fix this by proxying all of the requests to the Iris cloud including the login form through his server using cUrl such that the cookie is set directly on the calling agent (his server).  This avoids the need to hijack the session cookie.  Gill, let me know if you need help with this.

Share this post


Link to post
Share on other sites

Make sure the secure flag is being set on the cookie you're receiving from Iris.  It's possible that is being stripped off.  I would also double-check to make sure that the value in the session cookie is not changing.  If it is, the effect is essentially being logged out on the next request.  I don't use nginx but I did find a sample config script that might be of use.  It takes the auth cookie from the upstream (proxied) source and set it on the target (client).

 

server {
  listen       8080;
  location ~ ^/(abc|xyz)/api(/.*)?$ {
    auth_request /auth-proxy;

    # read the cookie from the auth response
    auth_request_set $cookie $upstream_cookie_auth;
    access_by_lua_block {
      if not (ngx.var.cookie == nil or ngx.var.cookie == '') then
        ngx.header['Set-Cookie'] = "auth=" .. ngx.var.cookie .. "; Path=/"
      end
    }
    # add the cookie to the target request
    proxy_set_header Cookie "auth=$cookie";

    set $query $2;

    proxy_pass http://$1/api$query$is_args$args;
    proxy_set_header X-Target $request_uri;
    proxy_set_header Host $http_host;
  }
}

 

Share this post


Link to post
Share on other sites

Occasionally my cameras would stop working and I have to reboot them remotely. I could easily do this through gillion's portal.
My cameras are currently down and I need to reboot them remotely. Does anyone know of another way to do this? I can't find an option in the official web interface.

Share this post


Link to post
Share on other sites

Just an update for you all.  I've been working with Gillion on restoring the portal.  After some research and testing today I now know exactly the change that Lowe's did which broke the portal.  That change, an added check to ensure that the connections to their servers are coming from users of their web portal, rejecting any from other websites such as Gillions.  The good news, by using a Chrome browser plug-in "Modify Headers for Google Chrome" I am able to override this security measure and allow the portal to connect to the Iris cloud.  For now it's just a hack while we continue to research a permanent fix.

IrisPortal.png

Share this post


Link to post
Share on other sites

Here is how to setup the Modify Headers for Google Chrome 

Click the add (plus) button on the top right of the plugin page.

add the following 

stuff.thumb.jpg.0e0e93855c096901f97938982464e57a.jpg

Then click save. 

Then click the play button in the top left.

Then click the power button on the line this will make it look like above.

Go log in to the portal like before.

 

Share this post


Link to post
Share on other sites
1 hour ago, spollo said:

You may also want to add the ‘Host’ header:

Host: bc.irisbylowes.com

just in case,

I would advise against that. It might not break anything today but if Lowe’s wanted to they could easily block requests with that header. All requests to their socket stream now originate from home.irisbylowes.com

Share this post


Link to post
Share on other sites

Weird...i had issues with hangouts this afternoon but initially thought it was something going on with my POS machine at work. I will try to remember  Monday to investigate more.

Share this post


Link to post
Share on other sites

Worked for me as well.  To be honest I don't use web access much anyway.  I always felt it was a dumb move to get rid of web access and only have mobile, but to Iris's credit I hardly ever use the web to do anything to my system.  The one thing I do use is filter hours.  I still can't believe Iris has not added this back.  If it were not for this portal I probably would have moved my thermostat over to smart things as well.  I figured I would move it over if this did not work.  With this workaround I will keep it here for now.

Share this post


Link to post
Share on other sites

Iris Team --- If you're following this thread, you need to work WITH Gillion and 'IrisUsers', not against. We all know that security is important, but unless you can assist and facilitate an interface to your servers that will enable this extremely valuable 'Iris Web Portal' service to continue, you are going to lose a significant part of your 'high end' user community. People like me who have stuck with Iris despite the problems, but need the extra capabilities 'The Gillion' was providing which your own 'official' portal still does not. For those like me who use their system for a second home visited every few weeks or months, things like battery monitoring, signal strength, webcam reset, and history downloads are what make it possible to actually manage this system remotely and continue as Lowes customers. You can do it ---- without compromising security. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

3 3