CBS's Showtime caught mining crypto-coins in viewers' web browsers
The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.
Here's a screenshot of the code on showtime.com, seen by El Reg before it was removed. The mining script was loaded early on the page, we note.
And on Showtime Anytime:
We contacted both Showtime and New Relic today asking for more details. Showtime refused to comment. New Relic told us it had nothing to do with the mystery code.
"We take the security of our browser agent extremely seriously and have multiple controls in place to detect malicious or unauthorized modification of its script at various points along its development and deployment pipeline," New Relic's Andrew Schmitt told us.
"Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic's agents. It appears they were added to the website by its developers."
We also asked Code Hive for details on the user account the injected code was mining for. "We can't give out any specific information about the account owner as per our privacy terms," the outfit informed us. "We don't know much about these keys or the user they belong to anyway."
The outfit did confirm to us, however, that the email address used to set up the account was a personal one, and was not an official CBS email address, further suggesting malicious activity.
The code was poorly configured – web admins are allowed to set the hashing rate – and resulted in people's machines slowing to a crawl, sparking complaints. Following the outcry, The Pirate Bay acknowledged the presence of the mining script, calling it "only a test" and promised to limit the CPU usage to make it less annoying. A few days later, the organization dropped the idea all together.
Pirate Bay digs itself a new hole: Mining alt-coin in slurper browsersREAD MORE
Code Hive not only offers in-page mining but also mining through URL shorteners and CAPTCHAs. The huge advantage to the website operator using the code is that not only does the script use someone else's processing power but also their electricity, meaning that you can make money with very little effort. So long as you are willing to annoy your visitors.
Coin Hive's pitch is that this script could allowed publishers to pull annoying ads from their website – which is something that could become more important as browsers increasingly block ads.
However, the code has already been inserted in browser extensions and on typosquatted websites. And now, it looks as though someone may have tried to hack Showtime's website in order to insert the code and make money while not having any direct impact on the website itself.
Hat tip to Troy Mursch for alerting us to this mystery.
Sponsored: Becoming a Pragmatic Security Leader