As far as I can gather the issue was autopopulating the funding source for lnbits by alby, and Francis enabling lnbits but not setting up from lnbits launch page? We didn't autopopulate the funding source, alby did. We can add an extra safeguard to help albys flow, by disabling the setup page after x mins, but using lnbits this way by a service like alby, is not something we do or account for. I'm not playing the blame game, but its a vulnerability not created by us. We can try safeguarding it, but any service that alby autopopulates should be monitored by alby and disabled if not set up correctly.
As far as I understand the issue.
Replies (4)
Reading replies was this umbrel connecting the funding source?
Then if any fixes should be applied thats where it should start. We can also add something.
Bitcoin is built on blood and sacrifice of early adopters, it sucks, and no future users understand the pain and suffering of those who came before them.
no no…
the issue is that if you install LNBits and not NOT set it up and have umbrel exposed on the public internet, then an attacker can do the setup and steal funds by extracting the LND macaroon.
roughly like that.
“public and not fully setup” is the important part here.
Which is what happened to alby in this example?
It didn't happen to lnbits it happened to alby.
