Chrome Extension with 100,000 Users Caught Pushing Cryptocurrency Miner

Catalin Cimpanu, reporting for BleepingComputer: A Chrome extension with over 105,000 users has been deploying an in-browser cryptocurrency miner to unsuspecting users for the past few weeks. The extension does not ask for user permission before hijacking their CPUs to mine Monero all the time the Chrome browser is open. Named "Archive Poster," the extension is advertised as a mod for Tumblr that allows users an easier way to "reblog, queue, draft, and like posts right from another blog's archive." According to users reviews, around the start of December the extension has incorporated the infamous Coinhive in-browser miner in its source code.

Affiliate links

[110010001000]

That is really underhanded. It is like posting affiliate links to unrelated Amazon stuff.

Re:Affiliate links

Apparently it wasn't always like that and was added in an update.

This is a good reason why automatic updates are fucking stupid. I'm glad Pale Moon allows me to disable updates for extensions. I really wanted to like Vivaldi, but it lacks the ability to do that so it's a big, fat fail.

Re:Affiliate links

Without his affiliate links how else do you expect creimer to gorge himself on multiple buffets a day?

And Firefox just moved to this extension model?!

Firefox users who upgraded to Firefox 57 will know all too well that Firefox's new WebExtensions extension model is pretty much a clone of Chrome's approach. This upgrade broke pretty much all of our existing extensions. It's one of the most disruptive software updates I've experienced in a long time.

One of the justifications for this massively disruptive change was that Firefox's old extension approach wasn't as "secure" as Chrome's approach.

Yet this incident shows that Chrome's approach, and likely Firefox's new WebExtensions approach, probably aren't any better than Firefox's old approach.

The Firefox developers trashed our user experience in the name of "security", but now it's like we're finding out that we probably aren't any more secure after all.

What a debacle!

Break a leg

Nerdlings Sorrow! Break a knee both wrists and an ankle ... betcha that slows-down the frisky dev. Bitch prolly thinks he has rights !

Cryptocurrencies need to invalidate coins.

That are mined without consent. Distributed computer programs like BOINC already forbid use without permission, so it's time mining programs do so as well.

Re:Cryptocurrencies need to invalidate coins.

[Ash-Fox]

How does Gridcoin (BOINC's cryptocurrency) invalidate coins mined without consent when it's discovered say, a after being mined?

charge the authors with theft

[Ritz_Just_Ritz]

If the extension is surreptitiously stealing your cpu cycles and electricity to perform an activity that the authors did not explicitly ask permission, I would say that meets the definition of theft. File a criminal complaint and let the authorities chase them around.

Re:charge the authors with theft

Let this be a reminder to everyone: if you add a shady function to your extension, then don't forget to bury a vague mention of the activity in the middle of your 10-page long ToS.

Re:charge the authors with theft

[known_coward_69]

call the FBI. i'm sure they'll get right on it

Re:charge the authors with theft

What theft? It offers the script to your browser. If you choose to run it, that's your decision. Else you better be arguing that people running adblockers should be charged with theft also, when they visit a site and don't consume the ads...

Re:charge the authors with theft

What theft? It offers the script to your browser. If you choose to run it, that's your decision.

This theft:
https://definitions.uslegal.com/t/theft-of-services/

The electric company runs wires to all homes as well, but if you don't have an account to pay for it and choose to use that electricity anyway, it's not just your decision but a crime.

Else you better be arguing that people running adblockers should be charged with theft also, when they visit a site and don't consume the ads...

That very argument has been made, and although there is no case law yet to actually explicitly say so, it is very easy to read the legal definition of theft of service such that ad blockers are actually illegal.

The only difference there seems to be is that people in general and the legal system doesn't appear to give a shit about the crime of using an ad blocker, where they do give a shit about the crime of infecting people with malware.

Unenforced laws are quite the common thing.
Cops write moving violation tickets all the time for exceeding the specified speed limits, yet when was the last time you've heard of anyone getting a moving violation for going under the specified speed minimum? Were you even aware that there *is* a speed minimum?
The penalties for both of those violations are pretty much identical (fine amount, points on insurance, thresholds for the additional "reckless" claims, etc) yet one is enforced and the other never is to the point people forget it's even a law.

Re:charge the authors with theft

[JThundley]

This is Tumblr we're talking about, I think you meant to say "charge the authors with rape".

Re:charge the authors with theft

Your analogy sucks, and you know mine is accurate.

Browser requests javascript. Browser voluntarily executes. Until someone is pointing a gun at the head of these users, telling them to run the cryptominer code or else, it ain't theft.

Re:charge the authors with theft

Is it theft, though? Using my CPU?

Flash does this in ads, and I don't want it to. Half the software, probably more, that we use everyday, including the OS, is reporting back to HQ with our personal data.

And really, it's Chrome, why not just ask Google to move in with you.

It should be illegal, along with all non-opt-in data collection.

Re:And Firefox just moved to this extension model?

[MightyYar]

Security is one justification, but the real problem is that the old extension model allowed extensions to hook into every part of the GUI. This meant that any change to the GUI at all could potentially break an extension. They tried patching this by keeping track of what version an extension was developed against, but in the end they felt that the system was fundamentally broken and was holding the whole project back. Personally, I share your frustration as the new model can't even accommodate seamlessly shifting the tabs over to the side, or adding a button to pop open the password manager. I'm hoping they continue to add capability.

The dangers of popularity

[IWantMoreSpamPlease]

100k users is nothing, 1million is nothing. Popularity of an extension means nothing if something like this can happen. The auto-update method for extensions is ripe for abuse.
IIRC, not that long ago places like GitHub were taken over in such the same manner. Trusted applications were suddenly wrapped with malware.

I don't have a solid answer, but it's something worth looking into.

Re:The dangers of popularity

GitHub? Don't you mean SourceForge?

On a related note, because of these shenanigans, sites like Ninite have come about to give you the app without the ad wrappers and drive by installs (wouldn't you like a little McAfee with your Flash? some Chrome with your Java?). FWIW, Adobe was one of the first companies that insisted its software be removed from Ninite.

FileZilla client took the opposite approach. Once the client is downloaded, it checks daily for updates. When it finds one, it lets you know it's available, (downloads it in the background), gives you the changelog with a banner ad. So long as it is a static banner (or set of banners), being served up, I don't mind. As long as it's not huge, I'm good with it.

Chrome is spyware

And now it's a delivery vehicle for malware.

This practice needs to be outlawed now.

And I do not mean "running a miner without user consent", I also mean "running a miner WITH user consent".

Mining in the browser is so horrendously energy inefficient, that it should be illegal to waist resources, and therefor pollute, so frivolously. It is one of the excesses of capitalism that needs to be curtailed, just like many other profit making polluting schemes (minor profit for one person, major problems for the rest of us) have been made illegal.

Re:This practice needs to be outlawed now.

[rgbatduke]

Awww, come on, let the kiddies get rich selling each other rocks...

Re:This practice needs to be outlawed now.

[DontBeAMoran]

...it should be illegal to waist resources, and therefor pollute...

It should also be illegal to write posts like yours but you don't see us asking to send your ass to jail.

Also, not all energy is wasted or polluting. I'm mining Monero right now, powered by hydro-electricity and the heat byproduct is helping to heat my house because we're in the middle of winter here. It's so cold that I'm almost tempted to build three more PCs with all the old motherboards and CPUs I have in a box somewhere.

Re:This practice needs to be outlawed now.

[SScorpio]

Make sure you use Pentium 4 CPUs for maximum heat generation.

Re:This practice needs to be outlawed now.

I'm mining Monero right now

I bet you are not doing it in javascript in a browser.

Re:This practice needs to be outlawed now.

it should be illegal to waist resources

*waste. Honest to fucking god.

Monero (cryptonight algorithm) was designed with stuff like this in mind. That is to say a "level" playing field where implementing a miner in js is perfectly feasible. 100,000 Tumblr retards unwittingly running a Monero miner in their browsers for a few weeks is actually enough to have probably found a nonzero number of blocks, which would be worth somewhere in the neighborhood of $10,000 USD per mined block at current rates.

It's all a big lottery, which means the payout might have been zero or it might have been half a dozen blocks mined. It's a pretty smart idea if you target the right group of people (those dumb enough to require browser extensions in order to use Tumblr for example) of a large enough size, but you better hope it pays off because they'll be locking shit down a lot more once you're find out.

This incident explains the sudden huge jump in hashrate on the Monero network at the beginning of December, going to unknown miners. People in the community (which is to say one guy on a Reddit thread) noticed it. I wonder if something similar is happening with Sumokoin right now, as the global hashrate has jumped from 2.7MH less than two weeks ago to 70MH today.

Re:This practice needs to be outlawed now.

More importantly, I'll "waist" my electricity on whatever I please.

Re:This practice needs to be outlawed now.

[DontBeAMoran]

You laugh, but I do have a P4 in the stack of old motherboards. I was planning to use it to cook gluten-free, zero-carb, free-range vegan pancakes.

Can't have things both way nerds

You remember your argument that ad-blocking should be unrestricted? That you're just making requests to a webserver, it doesn't have to respond, but if it chooses to respond with the content you wanted, then good for it?

Those cryptocurrency miner scripts? They're just supplying javascript to your browser. It doesn't have to run it, but if it chooses to respond by executing the offered script? Good for it.

Can't have things both ways.

Re:And Firefox just moved to this extension model?

[jbmartin6]

More secure isn't the same as perfect security and no one claimed it was, so your approach of taking one failure and concluding that the whole model isn't any better than the previous one fails the logic test. Unfortunately, since browsers are so capable and widely used, a browser extension is essentially just an additional application with all the threats that confers. If you install a crappy extension, you will get crappy results. The defense is to vet your browser extensions as carefully as you do your applications. P.S. all the Firefox extensions I use work fine on the new model.

Re:And Firefox just moved to this extension model?

Your comment is a perfect example of the denial, backtracking, and personal attacks we see so often from Firefox's supporters.

You're the only one who brought up this "perfect security" nonsense, in an attempt to deflect attention away from Firefox's shortcomings. Nobody else said anything about "perfect security". Only you did!

Let's look at the pros and cons of XUL versus WebExtensions.

XUL Scenario:
Cons: Vulnerable to some attacks.
Pros: Powerful. Many existing extensions that are well-tested and work fine.

WebExtensions Scenario:
Cons: Vulnerable to some attacks. Not compatible with the many existing XUL extensions. Limited capabilities compared to XUL. Some XUL extensions can't even be reimplemented because WebExtensions is so limited. Few compatible extensions. Severe disruption to users.
Pros: None.

The problem should be obvious. Both XUL and WebExtensions may be susceptible to some attacks, but that's XUL's only drawback. It turns out that WebExtensions are also susceptible to attacks, but WebExtensions also suffers from many other drawbacks, as proven above.

This whole WebExtensions situation has been a total disaster for many Firefox users. Our extensions were broken for no reason, and what we get in the end isn't actually any better, and in my opinion it's actually much worse.

Re:And Firefox just moved to this extension model?

This is a Trojan horse. Without signatures, inspection, quotas with consequences or other behavioral detection methods how could this be avoided? Maybe the extensions should be run in a separate process that has only white-listed network connectivity.

Re:And Firefox just moved to this extension model?

[Lunix+Nutcase]

Clearly the problem is that the extension wasn't written in Rust...

Hmm...

So you're telling me there's finally a way to monetize Chrome extensions?

NAME IT

"Archive poster"

How much did the extension cost?

[lano1106]

and is it useful?

I bet that if the creator did offer a paid premium version without the mining even at a very reasonable price most users would quietly shutoff and continue using the free mining version....

Re:How much did the extension cost?

Boohoo.

Rusty trombines all around!

Rusty! Crusty! Assholes! WOOOOOOOOOOOOOO!

Rusty trombones all around!

Don’t listen to this idiot. Parent is a AIDS-infected, butt-humping homosexual!

Tumblr bleeding

[kristofer.vesi]

The shit about Yahoo and Tumblr, Yahoo made the small barely standing Tumblr fall and puke, now this too, it encourages users to leave it... Sad to see Tumblr leaving...

Area to block: photorito.me

[Trax3001BBS]

HOSTS file or set into router. A Chrome Extension site, I've seen this site buried as a redirect hidden by it's ip address 163.172.60.109

Re:Area to block: photorito.me

Maybe APK will help?

Re:Area to block: photorito.me

Why do invoke the nameless one?

Re:Area to block: photorito.me

APK APK APK!!!! APK to the rescue!!!!.................

Easily blocked in hosts files... apk

0.0.0.0 whchsvlxch.site
0.0.0.0 c7e935.netlify.com
0.0.0.0 netlify.com

* SOURCE https://www.bleepingcomputer.com/news/security/chrome-extension-with-100-000-users-caught-pushing-cryptocurrency-miner/

"classic Windows hosts trick to block the Coinhive or Crypto-Loot domains" https://www.bleepingcomputer.com/news/security/a-new-player-joins-coinhive-on-the-browser-cryptojacking-scene/ BLEEPING COMPUTER

APK

P.S.=> Accept NO substitute for APK Hosts File Engine 10++ 32/64-bit SR-1 https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ for speed, security, reliability natively for less resources & complexity vs. "so-called security 'solutions'" (security issues riddled (DNS/Antivirus/routers) slowing you (hosts speed you up) OR sold-out to not work by default (adblock)) via hosts kernelmode speed (vs. slow usermode)

Re:And Firefox just moved to this extension model?

Actually it's less secure because it does forced automatic updates of extensions.

If it ain't broke, don't fix it. If I get updates, _I_ want to see what they are and _I_ want to apply them myself to ensure that they don't fuck up anything else and cause gaping security holes. I can handle the security on my PC much better than Mozilla or Microsoft can, thanks.