Slashdot Mirror
A Surge of Sites and Apps Are Exhausting Your CPU To Mine Cryptocurrency (arstechnica.com)
Dan Goodin, writing for ArsTechnica: The Internet is awash with covert crypto currency miners that bog down computers and even smartphones with computationally intensive math problems called by hacked or ethically questionable sites. The latest examples came on Monday with the revelation from antivirus provider Trend Micro that at least two Android apps with as many as 50,000 downloads from Google Play were recently caught putting crypto miners inside a hidden browser window. The miners caused phones running the apps to run JavaScript hosted on Coinhive.com, a site that harnesses the CPUs of millions of PCs to mine the Monero crypto currency. In turn, Coinhive gives participating sites a tiny cut of the relatively small proceeds. Google has since removed the apps, which were known as Recitiamo Santo Rosario Free and SafetyNet Wireless App. Last week, researchers from security firm Sucuri warned that at least 500 websites running the WordPress content management system alone had been hacked to run the Coinhive mining scripts. Sucuri said other Web platforms -- including Magento, Joomla, and Drupal -- are also being hacked in large numbers to run the Coinhive programming interface.
This might remind people how weird it is that they run software automatically downloaded from arbitrary foreign sources all the time on their personal computer.
If people still knew how to write HTML, almost no web site would need to use any "JavaScript" or other "active content", with all the security issues this implies.
This is just indicative of the much larger issue of how incredibly dangerous it is to allow servers to inject and run arbitrary code from third parties on your client machines. Third party ad-networks already do this, and if they're benign, they'll only TRACK you. If they're not, they'll do this, or try to hack your machine, or just about anything else they want to with all the power Javascript gives them - crypto-currency mining included.
Irony: Agile development has too much intertia to be abandoned now.
Probably quite a few, which is the advantage of something like that. Pretty much the same as spam, on an individual basis it's probably not very lucrative or effective. But by the time you are getting a 1-2% rate on a vast number of things, it balances out.
I'm utterly unsurprised people are harvesting CPU via javascript. And I'm utterly laughing because I whitelist javascript and sure as fuck don't allow arbitrary sites to run shit like that ... because I assume the average site is ran by greedy assholes.
Ads, malware, analytics ... it's all the same to me. Block the shit out of it no matter what it is. Because someone either wants to monetize your information, or, apparently, the act of browsing to their site to offer up your CPU to them.
As structured, the web has an idiotic security model, where you are expected to trust every site you visit to essentially run arbitrary code, set cookies, and access god knows what.
This shit was inevitable, and pretty much reinforces my belief that trusting random websites is idiotic. But people keep doing it, because they can't live without cat videos and poop emojis.
This is the internet we deserve.
Type "about:performance" in any recent Gecko web browsers (e.g., SeaMonkey and Firefox)'s URL form to show for a top type view. I would also like to see a tab version like its audio.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
> Does anyone remember the person that deleted the small JavaScript file and brought down so many big sites because they were loading it from his site instead of having a copy on their own site? I think it was to justify text. It was only a couple of lines.
You're recalling the npm package called left-pad (alternate write-up here). The author was Azer Koçulu (Slashdot might botch his Turkish surname, apologies for that).