Replies: 2 comments 1 reply
-
That's a good point. At the very least, there should be a warning popup (or visual indicator) when performing operations like |
Beta Was this translation helpful? Give feedback.
0 replies
-
How can one safely run ComfyUI? Many people don't understand programming and rely on online tutorials for deployment, so they may not know how to ensure a secure environment. If ComfyUI cannot address this directly, creating a detailed guide to teach users how to prevent such issues would be beneficial. What do you think? |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Users of ComfyUI are often unaware of their deployment being exposed, more so when they use a cloud instance, which due to the nature of required hardware specs is very common.
There are over a 1000 exposed ComfyUI installations:
Only 64 of them using ComfyUI-Login:
A lot seem to have ComfyUI-Manager installed which makes it trivially easy to install a custom node that allows shell access to completely take over the instance, install malware, spyware, cryptominers, etc. Anyone could write a script that takes the Shodan results, and do the necessary HTTP requests to have them join a private botnet or whatever, all without the users ever noticing until they get their bill from their cloud provider or their next utilities bill.
Even without ComfyUI-Manager, it can be used maliciously to host pictures (people really don't want to be a mule for child porn).
Each instance I've visited I've installed ComfyUI-Login so users are at least aware that they their instance is wide open.
I know from reading the opened issues about authentication that it's not really the focus of ComfyUI, nor should it be, but sometimes less tech savvy people need to be protected from themselves or at least made aware that their setup is insecure. Even if authentication is too much work, a simple dismissable popup "You are potentially exposing your ComfyUI instance" when first launched should hopefully give some users pause. People just follow a guide, run a script or copy the --listen 0.0.0.0 without understanding what it means and it can have potential big consequences.
A good similar example was when people setting up raspberry pis that originally came with ssh access on and a default username and password while not realizing they were exposed to the internet and so many pi's got added to a botnet or were used as an attack vector to other devices in the local network. Guides may scream that they should change the password but a lot of people didn't because they didn't understand the implications. The only way to stop that was to force ssh user/password setup. I feel like ComfyUI users falls into the same crowd. Negligence is one thing, but being even unaware that they are being negligent is quite another.
Beta Was this translation helpful? Give feedback.
All reactions