Jump to content
Chris1

Security Bug: Private information leakage in .curaproject.3mf files

Recommended Posts

Posted · Security Bug: Private information leakage in .curaproject.3mf files

I noticed that in the .curaproject.3mf there is a list of recent opened files. This poses a security risk to the creator of the file.

A normal user who gives this project file to a third party, normally would not expect that private data is leaked via the 3D-print-project file. This is a severe thread for commercial applications.

The private data that could possibly leaked, based on the file names of the recently opened files are:

 

  • internal project names (folder names)
  • user names (files stored in user profile directory) Used for social engineering attacks
  • other products my company is working on
  • release dates (based on time-stamps in folder names)

 

I hope I made it clear, why saving a list of recently opened files with or without full path is a bad idea.

Please disable the saving of the recently opened files in the .curaproject.3mf files.

If you absolutely need this for any customer, then make it an opt-in option in the user preference dialog.

Share this post


Link to post
Share on other sites
Posted · Security Bug: Private information leakage in .curaproject.3mf files

Hi @Chris1, thank you for your message. I have moved it to the software category where our software developers are scanning for messages as well.

Share this post


Link to post
Share on other sites
Posted · Security Bug: Private information leakage in .curaproject.3mf files

It's a good point, actually. We just put the entire configuration file there, and that could contain the most recent load path, save path, recently opened files and the location of the engine, which are all paths on the user's file system and could be sensitive.

I'll see if I can remove them for the next release.

  • Like 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Our picks

    • Ultimaker Cura 4.0 | Stable available!
      Ultimaker Cura 4.0 is mainly focused on the improved user interface and cloud integration.
      As always, we want to collect your user feedback for this release. If there are any improvements you can think of, feel free to mention it here and help us to shape the next release.
      • 21 replies
×
×
  • Create New...

Important Information

Welcome to the Ultimaker Community of 3D printing experts. Visit the following links to read more about our Terms of Use or our Privacy Policy. Thank you!