Jan 4, 2018 | By Julia
January is hitting hard for Thingiverse, thanks to a recent attack by a group of malicious cryptocurrency miners that for now, remains anonymous. Earlier today the massive 3D printing file repository and community made headlines as parent company MakerBot issued a statement detailing the attack.
“The cryptocurrency craze is in full effect and malicious actors online are looking for vulnerable pages to insert their crypto-mining scripts into,” wrote MakerBot reps. It may sound more like the stuff of science fiction, but the breaking scandal is a strong indicator that our mounting anxiety around cryptocurrency may indeed have some basis in reality.
But first, for those who are still scratching their head at the mention of “bitcoins,” let’s get you up to speed: officially classified as a virtual or digital currency, a cryptocurrency is a decentralized digital asset that functions as a medium of exchange, and relies on cryptography (techniques of secure communication) to protect transactions, control the production of additional units, and verify transfers. Once labelled a passing trend, cryptocurrency has exploded in popularity over the past several years, bringing with it a surge in cryptocurrency mining.
Mining is the process of introducing new coins into the existing circulation, while securing the network on which the coins operate. The users who undertake this process are known as “miners,” but unlike their 20th century predecessors, these miners do much more than dig for gold, so to speak. In place of a bank or other central regulating authority, cryptocurrency miners play an integral role in the control, security, and maintenance of their coins’ network. That’s where crypto mining scripts come in: as the primary means for miners to extract value. As MakerBot reps detail in their statement, “these scripts quietly load and operate in the background, sapping a computer’s processing resources in order to mine cryptocurrency for a 3rd party.” Essentially a discrete function placed on a website, mining scripts make use of a website visitor’s CPU. In turn, they validate collections of transactions or “blocks”, and are rewarded with additional cryptocurrency once a block is validated.
In Thingiverse’s case, the cryptocurrency miners targeted the site’s comments section, which was evidently identified as a vulnerability in the massive online community, and therefore prime real estate for covert mining scripts. As reported earlier today, MakerBot discovered this vulnerability in late December, and subsequently uncovered that malicious crypto-mining code had been inserted into the comments of about 100 Things.
In their statement, Makerbot reps were quick to minimize the threat, noting that the scripts never had access to users’ private data. They’re not wrong. Because the mining process begins as soon as a user accesses a website where a crypto mining script is embedded, there’s no need to infect a user’s computer; all that’s required for mining is that the browser have JavaScript activated. That was most certainly the case in the Thingiverse comments section, which is typically used for embedding constructive content, but in this case provided a platform for “bad actors” to insert mining scripts.
All that being said, Thingiverse developers acted swiftly to neutralize the attack. “They banned or warned offenders,” Makerbot said, “and recently deployed a fix that prevents malicious iframe embeds for things like crypto-mining, but still allows for friendly embeds of videos and documents in the comments section.”
The bottom line? Thingiverse will continue to run as before with no noticeable changes to the user interface, although site developers have issued a recommendation that users look into apps and browser add-ons that actively block crypto-mining scripts from loading. One thing’s for sure though: as victims of arguably the first major cyber attack of 2018, Thingiverse and Makerbot are shook. Nevertheless, site reps assure users that they will “continue to protect and educate users, and are proud to manage such an important resource for the entire 3D printing community.”
Posted in 3D Design
Maybe you also like:
- Preparing files for 3D printing: Materialise explains all
- Open source 3D printer & tech platform Wevolver scoops 3-DIY prize at SXSW Interactive
- This epic 3D printable Millennium Falcon consists of 236 parts, will take you 4 months to build
- LEGO-like model building system Arckit integrates 3D printing through new bespoke add-ons
- From 2D to 3D: ZVerse and Konica Minolta partner to make the 2D images 3D printable
- Sketchfab & TimeSlice unveil interactive 4D models using GoPro Array technology
- Moon2STL lets you 3D print the moon
- Thermaltake launches 3DMakers platform for 3D printable PC mods and accessories
- 3D printing marketplace, Kwambio, curates design objects just for you
- Learn about the human body with 3D printed anatomical model
- MyMiniFactory introduces WeDesign.Live, first ever collaborative design 3D modeling platform
- 3D marketplace Threeding scans & uploads hundreds of Ancient Greek artifacts for 3D printing
But the devs at Thingiverse still haven't fixed the super-annoying scrolling bug that has affected both continuous scroll and paged mode scrolling in Thingiverse's "Explore" mode on all browsers, on both Mac and PC, for about a year. It *used to* work properly!