Thread - Nostr Hypermedia

Francis Mars francismars@chainduel.net 1 week ago

I see, I believe this is important information that should be understood by all parts, maybe it can help someone in the future. What happened was: I had umbrel installed on a VPS, with bitcoind, lnd, lnbits. I accessed it via public IP and password. (I knew it was a precarious setup, I was supposed to change it, i kept delaying it because I didn't really use that node\lnbits, until the day I released the pubpay and I was hacked, which makes it very likely that it was someone that saw the release). I used the app store to install Alby Hub. But afterwards, you're meant to run the application as it has a first setup page, which I didn't. Bumi blames me for this set up, as the umbrel (and the funds) were only protected by the umbrel password. As Alby umbrel config was turning off the default umbrel authentication, albyhub was exposed to clearnet without password and the attacker had free access. Bumi says this is good UX, it might be for some, for me it was fatal. Bumi says that LNbits has the same vulnerability and, in similar scenarios, the same could happen again. So this might be something to look at cc: @Ben Arc

↑ Parent

Replies (2)

Ben Arc benarc@nostr.com 1 week ago

It would be just a task and get for most projects.

bumi michael@getalby.com 1 week ago

I don't blame anybody! I feel very sorry for you! it sucks big time... (I just complained and I am sad about your hinting to intentional being "bad actors" and your blame on open source projects and communities. ) anyway... PROXY_AUTH: false is set for many apps for a reason because otherwise they can not be accessed and/or their APIs does not work. see:

GitHub

Build software better, together

GitHub is where people build software. More than 150 million people use GitHub to discover, fork, and contribute to over 420 million projects.

it's not even about good/bad UX. It is how those things work. In that combination of running this publicly and not completing the setup this can be fatal as we sadly had to see. We made a PR to change this in the albyhub umbrel app (about which also some complained because it broke things) - the umbrel app is community maintained. Afaik LNBits umbrel says it will not be changed (I don't know the details, but I think this is valid as many things and apps would not work then) This problem might exist on other deployments, too. And it is also not unique to umbrel: if you install some wordpress and don't complete the setup then some attacker might be able to take over the server.