A member of the Facebook group 3D Printing has exposed a vulnerability in the design of Thingiverse that allows commenters on Things’ pages to embed cryptocurrency miners. Now fixed, the malicious comments hijacked vulnerable computers and used them to mine for digital currency.
It’s mere days into 2018 and already we’re hit with an intriguing tale of stealthy cryptocurrency mining taking place place right under our noses. Indeed Thingiverse, of all places, has been subject to a bombastic abuse of its commenting system, with daring commenters hijacking it for cryptocurreny mining at the expense of regular users’ computing power.
Thanks to a seemingly glaring flaw in the popular 3D model sharing site’s commenting system, commenters were able to insert malicious code into their comments.
While present on an open browser page (in this case multiple Thingiverse comments pages) the code loads into the web browser’s memory and diverts vulnerable computers’ processing power to efforts to decrypt cryptocurrency.
As long as the affected pages remain open, the computer’s resources continue to ‘mine‘ for the digital money.
Facebook 3D Printing group member Chris Mayhew discovered the issue on January 2nd, while browsing the Thingiverse item “Fillenium Malcon”. The offending comments and the actions it attempted to trigger were flagged multiple times by his anti-virus software (Avast, incidentally).
However, speaking to All3DP on the issue, MakerBot PR Manager Josh Snider has revealed that the exploit was already on the company’s radar. “In late December, MakerBot discovered that a vulnerability in the comments section of Thingiverse allowed malicious crypto-mining code to be inserted into the comments of about 100 Things, out of the site’s library of over 2 million designs.” He continues “The mining scripts never had access to users’ private data.”
Following Mayhew posting his discovery to the Facebook group, a lively discussion followed with multiple members investigating further, unraveling the scale of the problem. Within hours it was clear that many of Thingiverse’s most popular 3D printables were still affected.
Thingiverse is a Money Maker… Just Not for You
Within hours of Mayhew flagging the problem to Makerbot, Snider confirmed in a direct message that it had been passed on to the Thingiverse development team, who were “way on top of it!“.
Trawling through Thingiverse’s most popular models, it’s clear a widespread deletion of recent comments has taken place, leading us to believe whoever was posting the code targeted the site’s best performing models. Even the likes of 3DBenchy, Baby Groot and the V29 whistle appear to have been hit. User MantelMan, cited as one of the culprits posting the scripts, no longer appears in searches on Thingiverse.
Addressing the response to the vulnerability, Snider continues: “The community and Thingiverse’s development team reacted quickly. They banned or warned offenders and recently deployed a fix that prevents malicious iframe embeds for things like crypto-mining, but still allows for friendly embeds of videos and documents in the comments section.”
Crypt-over, For Now
With Bitcoin, the original and most widely known cryptocurrency, recently jumping in value to $19,172 (since a baseline of approximately $1,000 in the first half of 2017), it’s to be expected that some will turn to any and every means to mine the currency.
But manner in which this cryptocurrency mining operation at the expense of Thingiverse users occurred is just the tip of what could have been a huge iceberg for the site.
Benjamin Kentopp, an Information Security Officer for a US government contractor and admin of the 3D Printing Facebook group explains: “Typically with the ability to execute unchecked code in the comments an attacker could execute a phishing i-frame and trick you into giving up account info or load ransomware”.
In his statement, Snider recommends security minded users to consider apps and add-ons that block crypto-mining scripts, although he assures users that “Thingiverse users don’t need to worry about people hijacking their Things, nor do they need to take extra means to protect their computers when accessing Thingiverse.”
The nature of the Thingiverse vulnerability is unfortunate. But Makerbot should count their lucky stars that its discovery began, as far as we’re aware, with something relatively benign for its users.