First Wink bricked their smart home hubs while rolling out an updated cerficates list (in the name of good security, at least). Then Chrysler decided it wasn't a big deal that their cars could be remotely hijacked -- granted they later decided it might be a teensy problem. We knew the trifecta was in play. But who would be the third big IoT company to announce a massive security problem?

Today we find out. It's Honeywell.

As ThreatPost reports:

There are two separate vulnerabilities in the Tuxedo Touch: an authentication bypass bug and a cross-site request forgery flaw. The first vulnerability lets an attacker get around the authentication mechanism in the system.

"The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page. By intercepting and dropping requests containing the stringUSERACCT=USERNAME:_,PASSWORD:_, an unauthenticated user may bypass authentication and access restricted pages," an advisory from CERT says.

Using client-side JavaScript to handle *any* stage of the authentication process is not a great idea, as it gives users (and would-be attackers) an easy place to start looking for vulnerabilities and making edits. Cross-site request forgeries are also old hat in the web world, but apparently the best practices that web admins put into place to protect their cat video websites safe haven't trickled down to the industrial Internet yet.

Hopefully that will change soon.