Thread

Zero-JS Hypermedia Browser

Relays: 5
Replies: 5
Generated: 07:43:41
avatar
Alby hello@getalby.com npub1geta...0nfm
Hey Francis, we’re really sorry this happened. In this case, the Umbrel setup was reachable publicly on the clearnet, so it could be accessed from the outside. At the same time Alby Hub had also been installed but the setup wasn’t finished yet. Since the unlock password is created during that setup flow, no password had been set at the time which allowed the attacker to finish the setup and change the Alby Hub configuration. We’ve submitted a PR to Umbrel to add an extra authentication layer to require the umbrel password to access alby hub. https://github.com/getumbrel/umbrel-apps/pull/4028 It is sad that people from the community attack such projects. Projects that create awesome things for the community and push the adoption of bitcoin. Projects that work for the benefit of all of us and not for their own profit. We call on the attacker to return the funds!
2025-11-28 15:56:31 from 1 relay(s) ↑ Parent 5 replies ↓
Login to reply

Replies (5)

avatar
Francis Mars francismars@chainduel.net npub1t5at...ahcl
I'm glad that this personal attack on me raised awareness to try to fix the vulnerability before others lose their funds.. Pity that I had to lose both my money and my hope for the community for it to happen... nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgzypr90hlgjed73xq2jvrjhna4ukdx2yjyqmdslqvjzhh83wj8jd9nuqcyqqqqqqglchr32
2025-11-28 16:21:38 from 1 relay(s) ↑ Parent 2 replies ↓ Reply
avatar
mleku me@mleku.dev npub1fjqq...leku
a lot of apps have this kind of silly pattern, but they are usually trivial and non-valuable things especially before you set them up. the default should be that it writes a token to the terminal, that you have to use to set the password. unless the SSH connection is breached this prevents this kind of bootstrap snipe attack. if you have ever set up SSH on a VPS and looked at the logs, you will see there is probably tens of thousands or more bots on the internet scanning and probing everything they can find. they now have claude, to help them with this, not sure if you caught the news but they discovered that some clever guys were using claude to automate breaching of servers on the internet, that were far more sophisticated and fast than any such exploit ever seen before. at this point, it's pretty much game over. nothing should be open to connections on the internet without a back channel lock.
2025-11-28 16:23:02 from 1 relay(s) ↑ Parent 1 replies ↓ Reply
avatar
₿k karki@primal.net npub1rcc7...amf9
All projects get attacked; be it open-source freedom tech like cashu or alby the key is to remove any attack surface nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgdwyee4 nostr:nevent1qqsy66aynuese7y5f43aaqhvulz8g4297gl0v7tk7qcltfxjqtp22cgdwyee4
2025-11-28 17:31:18 from 1 relay(s) ↑ Parent 1 replies ↓ Reply
avatar
Eporediese Eporediese@primal.net npub1sxqx...kaqv
Yes that is indeed sad. But maybe it’s a timely reminder. As an Alby customer who has been exposed to software risk analysis for a long time, I see a transition happening from technically very savvy cypherpunks on the base layer to higher level projects supporting more regular users (like me). Old security assumptions may no longer apply. So, those project developers should take an equally vigilant, adversarial mindset as the cypherpunks always have. I suggest that solution developers apply rigorous and transparent risk management best practices: FMEA analysis, security threat analysis and so on, going forward. The community could probably help with review of that analysis as we have a vested interest that projects like Alby succeed.
2025-11-28 20:47:35 from 1 relay(s) ↑ Parent Reply