Having walked through some of the compromised OctoPrint installations remotely, one big problem that I see is when they also add plugins like the PSU control and TouchUI. Remotely, you can then toggle the TouchUI interface and it looks like you have more access to OctoPrint even if you're not logged in. In other words, the User Access might be giving you a false sense of security as the owner. And if I remotely could toggle ON/OFF your PSU, that's a bad thing, right?
Perhaps fifteen years ago I actually owned and operated a datacenter. I made money by hosting websites and databases for customers. Almost all of the websites those days were based upon Microsoft IIS Server as the webserver. We thought it was safe as a platform. Only ports 80/443 were allowed to the webservers from the firewalls. Safe, right?
I noticed some funny business going on in one of the weblogs. Someone had noticed that you could simply append "::" to the end of an ASP page's URL and the server would get confused and return the content of the page instead of running it.
Another time, I saw some hacking which involved actually invoking the command shell with a query which looked something like:
And, believe it or not, this actually worked. IIS dutifully climbed up the file system path until it found the root, then walked down in the SYSTEM32 folder, RAN CMD.EXE and returned the results back to them all the way to China.
So I had to actually program an ISAPI filter to take out these hacking attempts so at least I had a solution two days before Microsoft was able to provide a security release to fix it.
Morale of the story: the Internet isn't safe. Webservers—and especially open-sourced ones—are well understood by hackers and can have vulnerabilities which are unknown to you and to the author. Processing power is cheap. They can send a thousand attempts in order to try to brute-force a password or to try everything to get in.