Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Los Angeles Times Website Is Unintentionally Serving a Cryptocurrency Mining Script (itwire.com)

Posted by BeauHD on from the heads-up dept.

troublemaker_23 shares a report from iTWire: The Los Angeles Times website is serving a cryptocurrency mining script which appears to have been placed there by malicious attackers, according to a well-known security expert. British infosec researcher Kevin Beaumont, who has warned that Amazon AWS servers could be held to ransom due to lax security, tweeted that the newspaper's site was serving a script created by Coinhive. The Coinhive script mines for the monero cryptocurrency. The S3 bucket used by the LA Times is apparently world-writable and an ethical hacker appears to have left a warning in the repository, warning of possible misuse and asking the owner to secure the bucket.

15 of 58 comments (clear)

  1. Who did they hire to do this? by Narcocide · · Score: 1

    Not me, that's who.

  2. "Unintentionally" by sexconker · · Score: 5, Insightful

    Like how they "unintentionally" point visitors to ads and scripts created by third parties.

    If you're going to serve ads on your site, at least:

    1 - Be responsible for them.
    2 - Host them on your own domain.

    Does that break the current webvertising model? GOOD!

    1. Re:"Unintentionally" by sexconker · · Score: 4, Interesting

      I didn't read TFS. This appears to not be caused by ads, but by the LA Times serving content from a fucking publicly-writable storage source. Wooooooooooooooooooooo oooooooooooooooooooooooooooooooooo oooooooooooooo oooooooooooooooooooooooooo oooooooooooooooooow.

    2. Re:"Unintentionally" by Anonymous Coward · · Score: 1

      In the summary, it says they had a -rw-rw-rw- AWS S3 bucket. Who am I kidding, you probably read the summary, but don't grasp what that means. SAD!

    3. Re:"Unintentionally" by Narcocide · · Score: 2

      Guess who else didn't grasp what it means. The person they hired to set it up! Whew good thing you saved money on that hire, hey guys?

    4. Re: "Unintentionally" by sexconker · · Score: 1

      Point 1 and 2 both stand. They just don't directly apply to the context of ads and this story (which didn't involve ads, but utter stupidity).

    5. Re: "Unintentionally" by Reverend+Green · · Score: 1

      Upwork FTW!

    6. Re:"Unintentionally" by Hal_Porter · · Score: 2

      If you're going to serve ads on your site, at least:

      1 - Be responsible for them.
      2 - Host them on your own domain.

      The corollary being that if sites host ads on another domain they're not responsible for them and so you a) shouldn't trust they're not malicious code and b) should block them.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    7. Re:"Unintentionally" by Narcocide · · Score: 1

      Think of it like a windows file share only more easy to access and (at least in this configuration) less secure.

  3. This is why. by Scutter · · Score: 5, Insightful

    Dear every site that demands that I disable my ad blocker:

      This is why is respectfully request that you get bent.

    Love,
    Scut

    --

    "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    1. Re:This is why. by freeze128 · · Score: 1

      I also make that request, but without the respect.

    2. Re:This is why. by war4peace · · Score: 1

      You might not be aware of the fact that Coinhive scripts can run in your browser even if you have AdBlock - because they are not ads.
      Disabling JS will help though.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
  4. Always by AHuxley · · Score: 1

    No script
    Ad blocker
    Good quality AV for your OS.
    The trust in any site as a brand and their .com is gone.

    --
    Domestic spying is now "Benign Information Gathering"
  5. Corporate Main Stream Media by rtb61 · · Score: 1

    Just another collection of bloggers with delusions of grandeur, still thinking they are what they were last millennium, gate keepers and controllers of the public mind state and in reality nothing but yesteryears corporate propagandists and corrupters of democracy. I find it hardly surprising they are running crypto miners and it probably isn't as accidental as they are trying to pretend it is. Corporations are waking up to the reality of the great election blowout, where corporate main stream media, the major internet companies and the sitting government, who conspired to steal an election lost against us nobodies, all of us nobodies, millions of us nobodies.

    Advertising, do you know why it is failing on the internet apart from the hype methods which only have limited traction (sort of a single shot deal that has to be repeated and it doesn't repeat well). It lacks saturation. Before in the olde daze, corporate main stream media had a lock in on you and they could saturate you mind with 'selected ads'. Take a coke campaign, you would see the ad not once in a week but hundreds even thousands of times a day. TV ten to fifty times in a day, then the radio and ten to twenty times, than billboards tens of times, than in print another ten to hundreds times and then shop signs maybe tens of times again. Saturation ads. Now in the competitive space, many different ads, across many different web sites, cuts down coke ads, no matter how much it spends, to maybe three or four times in a day, sometimes even ten of times a day but not always. So everyone used to run ad campaigns where they would saturate the market for a period of times to gain market share, with billions of exposures, now gone for ever. Now they have to share and people are buying content and going ad free, so they have to even less to share. No longer can they saturate the market without spending way more than it is worth, having to out bid everyone else for space and still only getting minimal exposures. All the junk fooders are suffering because of this.

    Proof positive of this is how they all lost an election when they all blatantly colluded together and that resulted in FUD https://en.wikipedia.org/wiki/..., which a lot of trolls capitalised on and made worse for shits and giggles, resulting in Russiagate (no matter what people think, they should not have lost and the did because the old saturation advertising model failed miserably).

    So corporate main stream media looking to mine crypto would hardly be surprising, they are screwed, just another collection of bloggers with delusions of grandeur, who could not sell a corporate whore to a gullible and ill informed public, even with the backing of a corrupt government and corrupted by political appointees government agencies. Soros is pissed off with Google and Facebook because they scammed him for millions in worthless advertisement placements, pointlessly targeted at those who were already sold and drinking the coolaid. Kind of funny how things work out. So who paid those thirteen Russians and you can bet they feel really ripped off when it was publicly proven how little they achieved.

    --
    Chaos - everything, everywhere, everywhen
  6. Re:Those are not MY drugs... by Hal_Porter · · Score: 1

    He's a good boy. He was probably just taking care of those drugs and firearms for one of the older boys.

    --
    echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;