Jan 4, 2018 | By Julia

January is hitting hard for Thingiverse, thanks to a recent attack by a group of malicious cryptocurrency miners that for now, remains anonymous. Earlier today the massive 3D printing file repository and community made headlines as parent company MakerBot issued a statement detailing the attack.

“The cryptocurrency craze is in full effect and malicious actors online are looking for vulnerable pages to insert their crypto-mining scripts into,” wrote MakerBot reps. It may sound more like the stuff of science fiction, but the breaking scandal is a strong indicator that our mounting anxiety around cryptocurrency may indeed have some basis in reality.

But first, for those who are still scratching their head at the mention of “bitcoins,” let’s get you up to speed: officially classified as a virtual or digital currency, a cryptocurrency is a decentralized digital asset that functions as a medium of exchange, and relies on cryptography (techniques of secure communication) to protect transactions, control the production of additional units, and verify transfers. Once labelled a passing trend, cryptocurrency has exploded in popularity over the past several years, bringing with it a surge in cryptocurrency mining.

Mining is the process of introducing new coins into the existing circulation, while securing the network on which the coins operate. The users who undertake this process are known as “miners,” but unlike their 20th century predecessors, these miners do much more than dig for gold, so to speak. In place of a bank or other central regulating authority, cryptocurrency miners play an integral role in the control, security, and maintenance of their coins’ network. That’s where crypto mining scripts come in: as the primary means for miners to extract value. As MakerBot reps detail in their statement, “these scripts quietly load and operate in the background, sapping a computer’s processing resources in order to mine cryptocurrency for a 3rd party.” Essentially a discrete function placed on a website, mining scripts make use of a website visitor’s CPU. In turn, they validate collections of transactions or “blocks”, and are rewarded with additional cryptocurrency once a block is validated.

In Thingiverse’s case, the cryptocurrency miners targeted the site’s comments section, which was evidently identified as a vulnerability in the massive online community, and therefore prime real estate for covert mining scripts. As reported earlier today, MakerBot discovered this vulnerability in late December, and subsequently uncovered that malicious crypto-mining code had been inserted into the comments of about 100 Things.

In their statement, Makerbot reps were quick to minimize the threat, noting that the scripts never had access to users’ private data. They’re not wrong. Because the mining process begins as soon as a user accesses a website where a crypto mining script is embedded, there’s no need to infect a user’s computer; all that’s required for mining is that the browser have JavaScript activated. That was most certainly the case in the Thingiverse comments section, which is typically used for embedding constructive content, but in this case provided a platform for “bad actors” to insert mining scripts.

All that being said, Thingiverse developers acted swiftly to neutralize the attack. “They banned or warned offenders,” Makerbot said, “and recently deployed a fix that prevents malicious iframe embeds for things like crypto-mining, but still allows for friendly embeds of videos and documents in the comments section.”

The bottom line? Thingiverse will continue to run as before with no noticeable changes to the user interface, although site developers have issued a recommendation that users look into apps and browser add-ons that actively block crypto-mining scripts from loading. One thing’s for sure though: as victims of arguably the first major cyber attack of 2018, Thingiverse and Makerbot are shook. Nevertheless, site reps assure users that they will “continue to protect and educate users, and are proud to manage such an important resource for the entire 3D printing community.”

 

 

Posted in 3D Design

 

 

Maybe you also like:


   


Tom McBaum wrote at 1/15/2018 1:57:21 AM:

But the devs at Thingiverse still haven't fixed the super-annoying scrolling bug that has affected both continuous scroll and paged mode scrolling in Thingiverse's "Explore" mode on all browsers, on both Mac and PC, for about a year. It *used to* work properly!



Leave a comment:

Your Name:

 


Subscribe us to

3ders.org Feeds 3ders.org twitter 3ders.org facebook   

About 3Ders.org

3Ders.org provides the latest news about 3D printing technology and 3D printers. We are now six years old and have around 1.5 million unique visitors per month.

News Archive