Replying to Avatar Alby

Hey Francis, we’re really sorry this happened.

In this case, the Umbrel setup was reachable publicly on the clearnet, so it could be accessed from the outside. At the same time Alby Hub had also been installed but the setup wasn’t finished yet. Since the unlock password is created during that setup flow, no password had been set at the time which allowed the attacker to finish the setup and change the Alby Hub configuration.

We’ve submitted a PR to Umbrel to add an extra authentication layer to require the umbrel password to access alby hub. https://github.com/getumbrel/umbrel-apps/pull/4028

It is sad that people from the community attack such projects. Projects that create awesome things for the community and push the adoption of bitcoin. Projects that work for the benefit of all of us and not for their own profit.

We call on the attacker to return the funds!

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago 💬 1

a lot of apps have this kind of silly pattern, but they are usually trivial and non-valuable things especially before you set them up.

the default should be that it writes a token to the terminal, that you have to use to set the password. unless the SSH connection is breached this prevents this kind of bootstrap snipe attack.

if you have ever set up SSH on a VPS and looked at the logs, you will see there is probably tens of thousands or more bots on the internet scanning and probing everything they can find.

they now have claude, to help them with this, not sure if you caught the news but they discovered that some clever guys were using claude to automate breaching of servers on the internet, that were far more sophisticated and fast than any such exploit ever seen before.

at this point, it's pretty much game over. nothing should be open to connections on the internet without a back channel lock.

Reply to this note

Please Login to reply.

Discussion

Avatar
Francis Mars 1mo ago 💬 1

Calling it a silly pattern is very kind from you.

nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqyw8wumn8ghj7un9d3shjtngd9nksmrfva58getj9e3k7mf0qqs8u5uf0rd2p9wmdxxaznpn54tkq8wwspmljy0cjqw6jdgm5kv84ds3selle admin menu on Umbrel requires you to copy a string from the apps page. The reason I didn't go through with the initial installation is because I went back to the apps page to look for the password and couldn't find it🥴

This wasn't an automated attack.

First of all, it happened right after I shared the news release article on nostr:nprofile1qyt8wumn8ghj7ct4w35zumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qpqqf9pur8yz8e8w78ap6255fx9x6xrakm2jgmqyv063l9365p7sdcs7adyk5, I was probably attacked by someone that got the link directly from me by DM.

Second, and most relevant to prove it was not automated, the perpetrator had access to the node for 18 hours before stealing the funds. He was probably learning how to clean up his tracks or maybe how to not feel guilty about being a thief son of a whore.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago 💬 1

there's snakes out there. they don't get much visibility here because it's so hard to game visibility but they are out there.

+ru5+ n0-on3

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago 💬 1

nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm you could use nostr DMs as a mechanism for delivering the unlock secret to the user securely. in fact, i would very much like it if alby hub used nostr auth and instead of sending me emails to my protonmail, to send them to me as nostr DMs

just a thought

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago

nostr auth would allow you to set the npub with admin power before you even start it. it would then require that key to unlock. and ... then there would not be any need to set a password either.