Replying to Avatar Francis Mars

It was an exploit related to nostr:nprofile1qqsyv47lazt9h6ycp2fsw270khje5egjgsrdkrupjg27u796g7f5k0spzcs8wumn8ghj7un9d3shjtnyv9kh2uewd9hj7qguwaehxw309ahx7um5wgknztnwvfhjuctwvasku6fwvdhj78w5jyy hub. Their installation page requires 0 authentication and gives access to the entire node. They call it good UI.
Avatar
Alby 1mo ago 💬 6

Hey Francis, we’re really sorry this happened.

In this case, the Umbrel setup was reachable publicly on the clearnet, so it could be accessed from the outside. At the same time Alby Hub had also been installed but the setup wasn’t finished yet. Since the unlock password is created during that setup flow, no password had been set at the time which allowed the attacker to finish the setup and change the Alby Hub configuration.

We’ve submitted a PR to Umbrel to add an extra authentication layer to require the umbrel password to access alby hub. https://github.com/getumbrel/umbrel-apps/pull/4028

It is sad that people from the community attack such projects. Projects that create awesome things for the community and push the adoption of bitcoin. Projects that work for the benefit of all of us and not for their own profit.

We call on the attacker to return the funds!

Reply to this note

Please Login to reply.

Discussion

Avatar
Francis Mars 1mo ago 💬 3

I'm glad that this personal attack on me raised awareness to try to fix the vulnerability before others lose their funds..

Pity that I had to lose both my money and my hope for the community for it to happen...

nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgzypr90hlgjed73xq2jvrjhna4ukdx2yjyqmdslqvjzhh83wj8jd9nuqcyqqqqqqglchr32

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago 💬 1

a lot of apps have this kind of silly pattern, but they are usually trivial and non-valuable things especially before you set them up.

the default should be that it writes a token to the terminal, that you have to use to set the password. unless the SSH connection is breached this prevents this kind of bootstrap snipe attack.

if you have ever set up SSH on a VPS and looked at the logs, you will see there is probably tens of thousands or more bots on the internet scanning and probing everything they can find.

they now have claude, to help them with this, not sure if you caught the news but they discovered that some clever guys were using claude to automate breaching of servers on the internet, that were far more sophisticated and fast than any such exploit ever seen before.

at this point, it's pretty much game over. nothing should be open to connections on the internet without a back channel lock.

Avatar
Francis Mars 1mo ago 💬 1

Calling it a silly pattern is very kind from you.

nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqyw8wumn8ghj7un9d3shjtngd9nksmrfva58getj9e3k7mf0qqs8u5uf0rd2p9wmdxxaznpn54tkq8wwspmljy0cjqw6jdgm5kv84ds3selle admin menu on Umbrel requires you to copy a string from the apps page. The reason I didn't go through with the initial installation is because I went back to the apps page to look for the password and couldn't find it🥴

This wasn't an automated attack.

First of all, it happened right after I shared the news release article on nostr:nprofile1qyt8wumn8ghj7ct4w35zumn0wd68yvfwvdhk6tcpz9mhxue69uhkummnw3ezuamfdejj7qpqqf9pur8yz8e8w78ap6255fx9x6xrakm2jgmqyv063l9365p7sdcs7adyk5, I was probably attacked by someone that got the link directly from me by DM.

Second, and most relevant to prove it was not automated, the perpetrator had access to the node for 18 hours before stealing the funds. He was probably learning how to clean up his tracks or maybe how to not feel guilty about being a thief son of a whore.

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago 💬 1

there's snakes out there. they don't get much visibility here because it's so hard to game visibility but they are out there.

+ru5+ n0-on3

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago 💬 1

nostr:npub1getal6ykt05fsz5nqu4uld09nfj3y3qxmv8crys4aeut53unfvlqr80nfm you could use nostr DMs as a mechanism for delivering the unlock secret to the user securely. in fact, i would very much like it if alby hub used nostr auth and instead of sending me emails to my protonmail, to send them to me as nostr DMs

just a thought

Avatar
ᴛʜᴇ ᴅᴇᴀᴛʜ ᴏꜰ ᴍʟᴇᴋᴜ 1mo ago

nostr auth would allow you to set the npub with admin power before you even start it. it would then require that key to unlock. and ... then there would not be any need to set a password either.

Avatar
₿k 1mo ago 💬 1

All projects get attacked; be it open-source freedom tech like cashu or alby

the key is to remove any attack surface

nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgdwyee4

nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgdwyee4

Avatar
ben 1mo ago

you could have omitted the last paragraph. in your business you must expect adversaries and build defensively. nice to see the linked PR.

Avatar
Eporediese 1mo ago

Yes that is indeed sad. But maybe it’s a timely reminder.

As an Alby customer who has been exposed to software risk analysis for a long time, I see a transition happening from technically very savvy cypherpunks on the base layer to higher level projects supporting more regular users (like me). Old security assumptions may no longer apply.

So, those project developers should take an equally vigilant, adversarial mindset as the cypherpunks always have.

I suggest that solution developers apply rigorous and transparent risk management best practices: FMEA analysis, security threat analysis and so on, going forward.

The community could probably help with review of that analysis as we have a vested interest that projects like Alby succeed.