The Internet Is Ripe With In-Browser Miners and It's Getting Worse Each Day

Catalin Cimpanu, reporting for BleepingComputer: Ever since mid-September, when Coinhive launched and the whole cryptojacking frenzy started, the Internet has gone crazy with in-browser cryptocurrency miners, and new sites that offer similar services are popping up on a weekly basis. While one might argue that mining Monero in a site's background is an acceptable alternative to viewing intrusive ads, almost none of these services that have recently appeared provide a way to let users know what's happening, let alone a way to stop mining behavior. In other words, most are behaving like malware, intruding on users' computers and using resources without permission. [...] Bleeping Computer spotted two new services named MineMyTraffic and JSEcoin, while security researcher Troy Mursch also spotted Coin Have and PPoi, a Coinhive clone for Chinese users. On top of this, just last night, Microsoft spotted two new services called CoinBlind and CoinNebula, both offering similar in-browser mining services, with CoinNebula configured in such a way that users couldn't report abuse. Furthermore, none of these two services even have a homepage, revealing their true intentions to be deployed in questionable scenarios.

Executable documents...

[GenP]

Even more reason to disable Javascript.

Re:Executable documents...

[DickBreath]

I don't want to have to disable Javascript.

That would be bad.

What I want to have to enable Javascript. If I feel like it. If it seems like I'm missing out on something.

Does slashdot stress out ad blockers or what? Why not have ads that don't require Javascript? If the ads are too many then I just won't come back.

What if browsers severely limited the amount of execution time Javascript had to set up event handlers on controls in a business application. Then also severely limit the execution time of those event handlers -- exclusive of the time it takes for an event handler to make a limited number of ajax calls to the page's originating server. Would this idea limit the bitcoin mining abuse, while not constraining real applications?

Autocorrect typo?

[Hartree]

I suspect the submitter meant "rife" rather than "ripe".

Of course, since "ripe" can mean "stinky", maybe it fits.

Re:Autocorrect typo?

[gnick]

For all intensive porpoises, they both fit.

Re:Autocorrect typo?

I hole-hardedly agree, but allow me to play doubles advocate here for a moment. For all intensive purposes I think you are wrong. In an age where false morals are a diamond dozen, true virtues are a blessing in the skies. We often put our false morality on a petal stool like a bunch of pre-Madonnas, but you all seem to be taking something very valuable for granite. So I ask of you to mustard up all the strength you can because it is a doggy dog world out there. Although there is some merit to what you are saying it seems like you have a huge ship on your shoulder. In your argument you seem to throw everything in but the kids Nsync, and even though you are having a feel day with this I am here to bring you back into reality. I have a sick sense when it comes to these types of things. It is almost spooky, because I cannot turn a blonde eye to these glaring flaws in your rhetoric. I have zero taller ants when it comes to people spouting out hate in the name of moral righteousness. You just need to remember what comes around is all around, and when supply and command fails you will be the first to go. Make my words, when you get down to brass stacks it doesn't take rocket appliances to get two birds stoned at once. It's clear who makes the pants in this relationship, and sometimes you just have to swallow your prize and accept the facts. You might have to come to this conclusion through denial and error but I swear on my mother's mating name that when you put the petal to the medal you will pass with flying carpets like it’s a peach of cake.

Re:Autocorrect typo?

[gnick]

Would they be fighting with bear hands?

Re:Autocorrect typo?

[DickBreath]

Your never going too get you're weigh on this.
Their are just two many people out they're using there words wrong too get to upset.
Sew don't loose you're cool about it.
You can sea mini common examples that exist of incorrect usage.
People pick the write words two use according too there porpoises.
But you'd have two be a fool to begin or end a sentence with the word "but".
And only an idiot would begin or end a sentence with "and".
And a preposition is a very bad word too end a sentence with.
Anyway, you should never use the word anyway.
Only on weakdays ending in "y" you should utilize the word "use" whenever you would use the word "utilize".
And relax on the weakened.

Possible fix

Is there a way that someone could write a browser plugin that returns wrong/garbage results to the crypto mining command and control server, rendering entire massive calculation trees wrong and useless and destroying their scheme?

Ideally a way to enable/disable per site so that sites that ask permission can be granted on a case-by-case basis.

Is there a way to request them to stop ads?

[guruevi]

No? Then this is the same discussion we had decades ago about ads and it will end up in the same way.

If you go to a site, then you give it explicit permission to use resources on your computer. Whether that resource is doing stuff on the Internet (AJAX) or doing stuff on your computer (mining).

A user can control your computer though, they can limit the amount of cycles a website or browser gets to spend, block JavaScript, block whatever resource they want. In the end, the user is letting them do this and once sites see that it's costing them more money than it profits (when people stop visiting the "slow website") they'll learn.

Yep

[LeftCoastThinker]

I believe the word the author was looking for is "rife" as in filled with/replete with.

Just another reason that add blockers like uBlock Origin are mandatory. I also browse with a JS dynamic switch so I can kill JS with a button press for obnoxious sites.

Re:I get it, kind of

[ctilsie242]

I can see this becoming worse, especially with encrypted media extensions that obfuscate the presence of a mining tool under the guide of DRM.

I wish sites would just come out and say it

[Kjella]

"As an alternative to ads, we are testing out in-browser cryptocurrency mining as a means to fund our website. If you prefer our ad-supported version, click here" and see how many would actively choose ads. I mean if this is a functioning micro-transaction system I think it's got much less downsides than almost every other possible alternative, particularly that you don't need any kind of payment info or personal data. If it's any kind of site where you have an account you could have like points and build up a sort of credit you'd "pay" with to read articles and so on.

What is the alternative though

[monkeyxpress]

Indeed, yet JavaScript, for all its many, many foibles, is a much more universal computing platform than we have ever been able to achieve by other means. For this reason alone we shouldn't be in such a hurry to abandon it. Is anyone looking forward to going back to having to support Flash, Silverlight, java applets, and whatever new half-baked solution gets dreamed up by a bullying vendor.

We are still heading towards a good place. It took a long time to beat down IE and its deliberate consensus killing behavior, and to nudge JS into a form that is sufficiently standardised and supported. We are just a few short steps from asm.js becoming a reality, and all the benefits that will flow from there. Rather than rejecting JS outright, I think it is better to continue to find solutions to these sorts of problems. The web needs a common client side computing platform, and I don't see where any useful alternative is going to come from right now.

Re:What is the alternative though

[JohnFen]

Indeed, yet JavaScript, for all its many, many foibles, is a much more universal computing platform than we have ever been able to achieve by other means. For this reason alone we shouldn't be in such a hurry to abandon it.

I don't think that's anything close to a sufficient reason to accept the dangers associated with it. Javascript is not only a theoretical security problem, it's one that's very commonly exploited.

All of the arguments that apply to getting rid of flash apply to getting rid of Javascript.

We are still heading towards a good place.

Maybe, but the evidence for this is weak.

The web needs a common client side computing platform

"Needs" is a very strong term. In my opinion, it's more of a "nice to have" than a "can't live without".

Re: What is the alternative though

So much this. It's enough to make me want to go buy meth just to reverse-engineer it back into cold medicine because it's fucking easier to acquire.

Re:What is the alternative though

[JohnFen]

No matter what language browsers used the issues would be the same given the browser environment.

I agree, the fault isn't the precise language as such, the fault is the ability for webpages to push and execute code on your machine.

Re:What is the alternative though

[OrangeTide]

Someone was nice enough to collect a list of JavaScript vulnerabilities. And I also found a list of Proof of Concepts and many of them are for JavaScript and browser. And includes a nice paragraph description for each.

I can't prove the earlier post's claim that "[the problem of JavaScript security is] one that's very commonly exploited."
But it does seem that there are many well known security issues with popular implementations of JavaScript.

Alternative to advertising?

[Okian+Warrior]

Even more reason to disable Javascript.

While I agree with that sentiment, I have to wonder why this is such a big deal?

Assuming that mining is not actually harming me or my computer - destroying files, or leaking my information to someone - why should I care? If I visit a website and read an article, maybe a minute of my time, my computer is otherwise idle and the amount of energy spent is negligible.

We've always wanted a way to monetize visiting a site, could this be a way to do it?

Suppose we had a service where people could submit computationally intensive problems which can be broken down into smaller computational units. Such as "folding at home" or "seti at home".

The answers to some of those problems could be valuable, so we could imagine research institutions paying money to use the system to solve those problems, and pay out based on the amount of computation a website brings in.

This is proportional to the number of users who view the website, and for how long. This could be a user-friendly alternative to advertising.

In fact, one can imagine the *government* paying money to use the system as a make-work program: it would encourage people to make better, more meaningful websites overall. Would the sociological benefit outweigh the extra costs?

(Assuming that people don't game the system, but it seems reasonable that we could learn all the gaming techniques over time and avoid them. Sort of how we deal with advertizing clicks currently.)

I don't see what the problem here is, and look at it as an opportunity.

Could this be a user-friendly way to monetize a website, as an alternative to advertising?

Re: Alternative to advertising?

[Monster_user]

CPU cycles equals wear and tear, slower performance, and likely more bandwidth consumption.

While you may not be affected, plenty of people are and will be.

Those on metered connections, or who have to pay overages for data.
Those running on mobile devices who need as much battery life as they can squeeze out of their devices.
Those who are at the lower end of the financial spectrum, who have to watch their wattage and struggle to replace their aging machines, and struggle to provide air conditioning and such to their homes.

Its kind of like the penny. For so many people it isn't even worth picking up, but for so many other people a penny is a big deal. My biggest concern would be battery life.

No such problem

[Artem+S.+Tashkinov]

This "problem" is so exaggerated it's becoming annoying to hear about it again and again.

First of all, most respectable websites will never do anything like that. Secondly, shady websites which do host mining JavaScript are not normally visited by most people and the ones who visit such websites usually leave them quite fast, which means bad scripts can only run for a very limited amount of time. Thirdly, we've always had websites which peddle malware and somehow they stopped being newsworthy years ago. All of a sudden, they are again in the news.

Fourthly, we now have "good" websites which stress your CPU so much they can be considered "harmful". What about ad networks whose JS tax your CPU? Why aren't we talking about them?

Flag them!

[kurkosdr]

Flag. These. As. Malware. Let's see how these smarty pants website owners and advertisers react when their users start avoiding the site because they are getting anti-malware alerts and get demoted in search engine results

commentsubject

[Falos]

It's parasitic and hidden, but to believe that an opt-in checkbox equates to being "in the clear" - hell, that op-tin being offered at all is supposed to be par for today's commercial atmosphere - is awfully naive.

In fact, this "hidden" behavior? Is still transparent relative to the shit being done with various fingerprints/useragents, with the hundred different metrics possible on your phone. To say nothing of you unfortunate souls with accounts on facetweet and socnets.

It's almost refreshingly simple. They're mooching your CPU, your electricity, but the intent is plain, the motives obvious. Compare it to the clusterfuck, the rat-king of trade-and-parcel done with your credit info/score/history/etc. We're oblivious to the amount of closed-door behavior going on around us, of how many databases end up hooking a single instance of you flashing your insurance card to get a painkiller or flu shot, or a scratch on the car.

Again, it's unscrupulous, yes, but "shady"? Consider that word and apply it to the shady pickpocket who grabs your $20's and throws your wallet on the sidewalk, versus the shady cartels running our world, ISPs and Muh Big Pharma and all our good friends trashing the atmosphere/soil/rainforest/aquabeds/whatever without a moment's hesitation, global-scale behaviors behind purchased laws, behind NDAs, behind agreement named with so much obfuscating euphemism you think it benefits consumer proles. Go ask a stranger what "net neutrality" is.

Christ, you can probably stop these scripts with a browser mod or two, or a greasemonkey. Five minutes of placement. While if you fuck with your registry and hosts file maybe you'll get (most of) win10's bullshit to stop showing up on wireshark.

I'd probably prefer a silent miner (esp. if throttled to polite levels) over the butterfly dominoes from an ad watched by DoubleClick, with a facebook pixel watching. Submission is stupid about what he can hope for, naive, thinks an ad is just "Buy my book" and done. Thinks clicking "don't send me emails" is a win.

Not an apologist, just mentioning perspective.

Re:Why disable?

Mining to your own account in Javascript is stupid. It's incredibly inefficient (ie. it wastes lots more electricity than you will ever see in return). If you're going to mine it then mine it natively. The only reason it works for them is because it's not their electricity.

There is no way in hell the revenue from mining can match ads. This whole mining in the browser thing is just for illegitimate uses (ie. malware).

Re: Why disable?

[phantomfive]

The point (which you seemed to have missed) is that any vaguely legitimate website will be able to make more money selling ads than they will by mining bitcoin on their visitor's computers. (Note that as Bitcoin value increases, the effort required to mine increases as well.)

Since you can make more money by selling ads than mining bitcoin in Javascript, the only ones who will do it are those who don't have the ability to sell ads.