The cryptocurrency craze is in full effect and malicious actors online are looking for vulnerable pages to insert their crypto-mining scripts into.
These scripts quietly load and operate in the background, sapping a computer’s processing resources in order to mine cryptocurrency for a 3rd party.
In late December, MakerBot discovered that a vulnerability in the comments section of Thingiverse allowed malicious crypto-mining code to be inserted into the comments of about 100 Things, out of the site’s library of over 2 million designs. The mining scripts never had access to users’ private data.
The community and Thingiverse’s development team reacted quickly.
They banned or warned offenders and recently deployed a fix that prevents malicious iframe embeds for things like crypto-mining, but still allows for friendly embeds of videos and documents in the comments section.
The MakerBot operated site Thingiverse, the world’s largest 3D printing file library and community, is a rich, open space that occasionally comes up against less-than-savory actors online – like so many other large user generated content sites. The comment sections on Thingiverse which are typically used for embedding constructive content were instead used by bad actors to insert mining scripts, in violation of the Thingiverse Terms of Use and Thingiverse’s friendly and collaborative spirit.
Thingiverse users don’t need to worry about people hijacking their Things, nor do they need to take extra means to protect their computers when accessing Thingiverse.
MakerBot will continue to operate Thingiverse in the spirit of openness, community, and sharing.
We will continue to protect and educate users, and are proud to manage such an important resource for the entire 3D printing community. MakerBot will not tolerate violations of Thingiverse’s Terms of Use. We also recommend security minded users look into apps and browser add-ons that actively block crypto-mining scripts from loading.
It’s important to note that when Thingiverse faces challenges like this, in the greater context of digital trends, MakerBot and the community have responded quickly and responsibly to protect each other and the hard work they put into their 3D designs.