Jump to content
Ultimaker Community of 3D Printing Experts

Security Bug: Private information leakage in .curaproject.3mf files


Recommended Posts

Posted · Security Bug: Private information leakage in .curaproject.3mf files

I noticed that in the .curaproject.3mf there is a list of recent opened files. This poses a security risk to the creator of the file.

A normal user who gives this project file to a third party, normally would not expect that private data is leaked via the 3D-print-project file. This is a severe thread for commercial applications.

The private data that could possibly leaked, based on the file names of the recently opened files are:

 

  • internal project names (folder names)
  • user names (files stored in user profile directory) Used for social engineering attacks
  • other products my company is working on
  • release dates (based on time-stamps in folder names)

 

I hope I made it clear, why saving a list of recently opened files with or without full path is a bad idea.

Please disable the saving of the recently opened files in the .curaproject.3mf files.

If you absolutely need this for any customer, then make it an opt-in option in the user preference dialog.

  • Link to post
    Share on other sites
    Posted · Security Bug: Private information leakage in .curaproject.3mf files

    It's a good point, actually. We just put the entire configuration file there, and that could contain the most recent load path, save path, recently opened files and the location of the engine, which are all paths on the user's file system and could be sensitive.

    I'll see if I can remove them for the next release.

    • Like 1
    Link to post
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
    • Our picks

      • Ultimaker turns 10: A look back
        Ultimaker is turning 10 years old and that means it is story telling time! We'll explore 2010-2014, traveling through the evolution of the business from the Protobox and Ultimaker Original, to the major leaps forward with the Ultimaker 2 and Ultimaker 3.
          • Like
        • 0 replies
      • Ultimaker Transformation Summit
        Visit our virtual showroom and learn more about the Ultimaker ecosystem!
        • 14 replies
      • New here? Register your Ultimaker for free 3D printer onboarding course
        Hi,
         
        Often getting started is the most difficult part of any process. A good start sets you up for success and saves you time and energy that could be spent elsewhere. That is why we have a onboarding course ready for
        Ultimaker S5 Pro Bundle, Ultimaker S5, Ultimaker S3 Ultimaker 2+ Connect.   
        They're ready for you on the Ultimaker Academy platform. All you need to do to gain access is to register your product to gain free access. 
        Ready? Register your product here in just 60 seconds.
          • Like
        • 4 replies
    ×
    ×
    • Create New...