The security of home automation systems like Xiaomi Home Assistant is a growing concern. A potential vulnerability in the OAuth login process has been identified, which could allow an attacker to access a user's account. In this article, we will delve into the proposed attack, its implications, and discuss possible mitigations to enhance the security of the Xiaomi Home Assistant. The proposed attack involves a device on the same local area network (LAN) forcefully broadcasting the same mDNS address as the Home Assistant server, thereby redirecting the user to the attacker's device. The attacker can then obtain a valid token and gain access to the user's account. To mitigate this vulnerability, several measures can be taken. Firstly, allowing users to view and revoke active tokens in their mi home app can help detect and prevent unauthorized access. Secondly, performing the OAuth login from the Home Assistant server side with a 127.0.0.1 redirect URL can reduce the risk of token interception. Lastly, ditching OAuth in favor of a pin code-based login system, similar to what vs code tunnel uses, can provide an additional layer of security. By understanding the potential risks and implementing these mitigations, users can significantly enhance the security of their Xiaomi Home Assistant and protect their sensitive information.