Jump to content

Security Bug: Private information leakage in .curaproject.3mf files


Chris1

Recommended Posts

Posted · Security Bug: Private information leakage in .curaproject.3mf files

I noticed that in the .curaproject.3mf there is a list of recent opened files. This poses a security risk to the creator of the file.

A normal user who gives this project file to a third party, normally would not expect that private data is leaked via the 3D-print-project file. This is a severe thread for commercial applications.

The private data that could possibly leaked, based on the file names of the recently opened files are:

 

  • internal project names (folder names)
  • user names (files stored in user profile directory) Used for social engineering attacks
  • other products my company is working on
  • release dates (based on time-stamps in folder names)

 

I hope I made it clear, why saving a list of recently opened files with or without full path is a bad idea.

Please disable the saving of the recently opened files in the .curaproject.3mf files.

If you absolutely need this for any customer, then make it an opt-in option in the user preference dialog.

  • Link to post
    Share on other sites

    Posted · Security Bug: Private information leakage in .curaproject.3mf files

    It's a good point, actually. We just put the entire configuration file there, and that could contain the most recent load path, save path, recently opened files and the location of the engine, which are all paths on the user's file system and could be sensitive.

    I'll see if I can remove them for the next release.

    • Like 1
    Link to post
    Share on other sites

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now
    • Our picks

      • Introducing Universal Cura Projects in the UltiMaker Cura 5.7 beta
        Strap in for the first Cura release of 2024! This 5.7 beta release brings new material profiles as well as cloud printing for Method series printers, and introduces a powerful new way of sharing print settings using printer-agnostic project files! Also, if you want to download the cute dinosaur card holder featured below, it was specially designed for this release and can be found on Thingiverse! 
          • Like
        • 10 replies
      • S-Line Firmware 8.3.0 was released Nov. 20th on the "Latest" firmware branch.
        (Sorry, was out of office when this released)

        This update is for...
        All UltiMaker S series  
        New features
         
        Temperature status. During print preparation, the temperatures of the print cores and build plate will be shown on the display. This gives a better indication of the progress and remaining wait time. Save log files in paused state. It is now possible to save the printer's log files to USB if the currently active print job is paused. Previously, the Dump logs to USB option was only enabled if the printer was in idle state. Confirm print removal via Digital Factory. If the printer is connected to the Digital Factory, it is now possible to confirm the removal of a previous print job via the Digital Factory interface. This is useful in situations where the build plate is clear, but the operator forgot to select Confirm removal on the printer’s display. Visit this page for more information about this feature.
          • Like
        • 0 replies
    ×
    ×
    • Create New...