Thingiverse hit by cryptocurrency mining attack

January 4, 2018 // 10:28 a.m.

Tags: #3d-printing #cryptocurrency #insecurity #javascript #malware #mining #security #vulnerability

Companies: #makerbot #thingiverse

3D printing specialist MakerBot has become the latest victim of malicious actors hijacking websites to embed cryptocurrency mining scripts for execution on unsuspecting visitors' laptops, through its design sharing site Thingiverse.

When cryptocurrencies like Bitcoin, Litecoin, Ethereum, and Monero went from hundreds of 'coins' per penny to thousands of pounds per coin, interest in 'mining' them - performing the computational effort required of proof-of-work (POW) coins in order to receive block rewards - naturally exploded. While many do so legitimately, either purchasing powerful dedicated hardware or taking advantage of the typically-unused spare cycles on their GPU and CPU, others opt for a more malicious approach by co-opting unsuspecting victims into being part of a massive mining botnet.

The development of JavaScript-based mining tools for embedding into web pages began with the best of intentions: Allowing a site to mine on your computer via the browser can act as a replacement for manual CAPTCHA-style anti-bot protections, while the money generated by running a miner in the background as a reader browses the site is a valid alternative to traditional and often obnoxious advertising slots. Sadly, and inevitably, the technology was quickly co-opted for malicious purposes with attackers implanting the code into unsuspecting sites.

MakerBot has confirmed that Thingiverse, its community site for the publication and sharing of 3D print designs, is one of the latest to be attacked in this way. 'In late December, MakerBot discovered that a vulnerability in the comments section of Thingiverse allowed malicious crypto-mining code to be inserted into the comments of about 100 Things, out of the site’s library of over 2 million designs,' the company has warned users in a press release. 'The mining scripts never had access to users’ private data.

'The community and Thingiverse’s development team reacted quickly. They banned or warned offenders and recently deployed a fix that prevents malicious iframe embeds for things like crypto-mining, but still allows for friendly embeds of videos and documents in the comments section. Thingiverse users don’t need to worry about people hijacking their Things, nor do they need to take extra means to protect their computers when accessing Thingiverse.'


Discuss this in the forums

QUICK COMMENT

Week in review

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU