Thingiverse Breach: 50,000 3D Printers Faced Hijacking RiskExposed OAuth Tokens Have Since Been Revoked, Mitigating Takeover Threat
A data breach affecting MakerBot's Thingiverse 3D printing repository website is far bigger than what the company has acknowledged, a former employee claims.
The breach likely affects more than 2 million people whose usernames at minimum were leaked, says TJ Horner, a software engineer and security aficionado who has analyzed the data. Horner worked at MakerBot until last year.
Horner says the data also includes OAuth tokens that until recently could have been used to remotely access MakerBot 5th Generation printers and later models. Those printers have video cameras, so Horner found it was also possible to view the printers' video feeds, including Horner's own MakerBot Method X printer.
Additional mischief may have been possible. A malicious attacker could have sent an erroneous schematic to a 3D printer that could, for example, have broken a printer's stepper motors, Horner says. The tokens also granted access to a user's Thingiverse account, with read and write access.
Those OAuth tokens have now been invalidated by MakerBot, Horner says.
MakerBot maintains that less than 500 users were affected by the data breach. It has also said the data breach consisted of non-production, non-sensitive information that was mostly testing data. It also maintains that all affected users have been notified.
But MakerBot's figures have been disputed not only by Horner but also Troy Hunt, the creator of the free Have I Been Pwned data breach notification site, which alerts subscribers whenever their email address appears in a known breach. Hunt's service has sent 10,646 notifications to subscribers who were affected by the Thingiverse breach. In total, Hunt says the breach exposed 228,000 unique email addresses, which he has loaded into Have I Been Pwned.
I sent emails to 10,646 individual @haveibeenpwned subscribers and a further 1,028 to subscribers monitoring domains. So far, I've had zero responses saying they weren't @thingiverse users and plenty of confirmations that they were. It's unclear where "less than 500" came from. https://t.co/PJ2CiMgNE9— Troy Hunt (@troyhunt) October 15, 2021
Hunt, who uses Thingiverse for his own projects, has expressed frustration about the difficulty in alerting MakerBot and Thingiverse about the breach, as well as the company's continuing lack of full disclosure.
"What I find most noteworthy about the incident isn't the breach itself but the handling," Hunt says, as well as MakerBot's "inability to be transparent and honest about the impact and scope."
MakerBot officials couldn't be immediately reached for comment about Horner's findings. Information Security Media Group alerted MakerBot to the exposed authentication tokens on Friday, and the company subsequently invalidated the tokens.
MySQL Database Leak
Thingiverse is a website where users can share digital designs for objects that can be printed using 3D printers. While the site is popular, some critics have alleged that the site's infrastructure has not been kept sufficiently updated.
The breach occurred after someone going by the nickname Pompompurin discovered Thingiverse had left a 36GB MySQL database exposed to the internet in an Amazon S3 bucket. The data then turned up on a well-known forum for buying and selling data breaches (see Thingiverse Data Leak Affects 228,000 Subscribers).
The leaked data includes email addresses, IP addresses, usernames, physical addresses, full names, direct messages between users and moderation logs. There are also SHA1 hashes of passwords as well as bcrypt hashes. For years, security experts have warned that the SHA1 hashing algorithm should not be used to handle passwords, since it is relatively easy to brute-force the hashes it generates to recover plaintext passwords.
Horner, who was formerly a full stack software engineer with MakerBot, has carefully reviewed the exposed data. The data is a MySQL database snapshot from October 2020 that contains Thingiverse's staging database. But Horner notes that there is also an entire production database within the staging database.
The production data runs up until May 15, 2018, and contains a total of 2,079,011 users, Horner says. Horner also shared a hypothesis about why MakerBot may have underestimated the number of users affected.
When the production data was imported, MakerBot modified those more than 2 million email addresses, Horner says. That likely made the information appear to be test data when it fact it was real data.
Thus, those affected users haven't been notified. Accordingly, Horner says MakerBot needs to correlate the impacted user IDs from the staging database with those in the production database, and then send a notification to those email addresses in the staging data.
If that doesn't occur, Horner has also created a tool allowing people to query if they're affected by the breach.
Another update: I created a tool that can tell you if your account was affected by the leak, and if so, exactly which data was leaked: https://t.co/IRdX3kAUtL https://t.co/inRtBDk0Bj— ︀ (@tjhorner) October 16, 2021
One perhaps surprising aspect of the breach was that it didn't just expose user details, but also OAuth tokens for individual 3D printers. MakerBot has not publicly disclosed that such tokens got leaked, although they have since been invalidated, meaning the leak should pose no further risk.
While at MakerBot, Horner's development work included managing the internet-connectivity software on the 50,000 of the 3D printers it had sold. That group of printers would have been vulnerable to takeovers because of this data breach, Horner says.
"Anyone with one of these compromised tokens has full control over the printer if it's connected to the internet," Horner says.
Horner says the affected printers would have included the Replicator 5th Gen, Replicator Mini, Replicator Z18, Replicator+, Replicator Mini+, all of the Method-series printers and MakerBot Sketch.
OAuth tokens for Horner's MakerBot Method X 3D printer were in the data, which at that time - prior to being invalidated - still worked with the Thingiverse API and Thingiverse's remote printer access API, which is called Reflector, Horner says. By pinging the APIs with a token, the API would return a list of printers that are authorized to a particular user, Horner says.