Thousands of websites around the world – from the UK's NHS and ICO to the US government's court system – were today secretly mining crypto-coins on netizens' web browsers for miscreants unknown.
The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind or partially sighted people.
This technology was compromised in some way – either by hackers or rogue insiders altering Browsealoud's source code – to silently inject Coinhive's Monero miner into every webpage offering Browsealoud.
For several hours today, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper.
A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), Lund University (lu.se), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.
Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.
Scrambled ... A portion of the obfuscated mining code injected via Browsealoud today
The malicious code was first spotted by UK-based infosec consultant Scott Helme, and confirmed by The Register. He recommended webmasters try a technique called SRI – Subresource Integrity – which catches and blocks attempts by hackers to inject malicious code into strangers' websites.
Just about every non-trivial website on the planet loads in resources provided by other companies and organizations – from fonts and menu interfaces to screen readers and translator tools. If any one of these outside resources is hacked or tampered with to perform malicious actions, such as mine crypto-coins, all the websites relying on that compromised resource will end up pulling the evil code onto their pages and into visitors' browsers.
Now that's taking the p... Sewage plant 'hacked' to craft crypto-coinsREAD MORE
Until more websites use this protection mechanism, third-party resource providers – like Browsealoud – will be targeted by criminals to spread miners, or worse, on thousands of websites. A scumbag simply has to hack one provider to effectively infect countless other webpages.
"Third parties like this are absolutely a prime target and have been for some time," Helme told El Reg today. "There's a technology called SRI (Sub-Resource Integrity) designed to fix exactly this problem, and unfortunately it seems that none of the affected sites were using it."
A spokesperson for Texthelp told us as we were preparing to publish that it has removed its Browsealoud code from the web while it probes the security cockup, shutting down the illicit Monero-crafting operation.
"We are addressing this immediately," the biz said via Twitter. "Our Browsealoud service has been temporarily disabled whilst our engineering team investigates."
Luckily, the injected code was just trying to slyly mine Monero coins – one XMR is worth $238.65 or £172.56 right now – rather than anything more malevolent, such as popping up dodgy ads, stealing passwords, snooping on keystrokes, or tricking people into installing malware.
Updated to add
“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp's chief technology officer Martin McKay in a statement.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”
The company added that "no customer data has been accessed or lost," and "customers will receive a further update when the security investigation has been completed."
Sponsored: Webcast: Simplify data protection on AWS