3D printing specialist MakerBot has become the latest victim of malicious actors hijacking websites to embed cryptocurrency mining scripts for execution on unsuspecting visitors' laptops, through its design sharing site Thingiverse.
When cryptocurrencies like Bitcoin, Litecoin, Ethereum, and Monero went from hundreds of 'coins' per penny to thousands of pounds per coin, interest in 'mining' them - performing the computational effort required of proof-of-work (POW) coins in order to receive block rewards - naturally exploded. While many do so legitimately, either purchasing powerful dedicated hardware or taking advantage of the typically-unused spare cycles on their GPU and CPU, others opt for a more malicious approach by co-opting unsuspecting victims into being part of a massive mining botnet.
MakerBot has confirmed that Thingiverse, its community site for the publication and sharing of 3D print designs, is one of the latest to be attacked in this way. 'In late December, MakerBot discovered that a vulnerability in the comments section of Thingiverse allowed malicious crypto-mining code to be inserted into the comments of about 100 Things, out of the site’s library of over 2 million designs,' the company has warned users in a press release. 'The mining scripts never had access to users’ private data.
'The community and Thingiverse’s development team reacted quickly. They banned or warned offenders and recently deployed a fix that prevents malicious iframe embeds for things like crypto-mining, but still allows for friendly embeds of videos and documents in the comments section. Thingiverse users don’t need to worry about people hijacking their Things, nor do they need to take extra means to protect their computers when accessing Thingiverse.'
October 14 2019 | 14:00