The altered Browsealoud plugin began mining Monero Sunday morning on more than 4,200 websites spanning the globe, including governments, organizations, and schools. Among them was the State of Indiana, the U.S. court information portal, the City University of New York, the U.K.’s National Health Service, the U.K.’s Student Loans Company, and many more.
Most websites typically rely on plugins to pull content and tools from third-party developers. These can include translators, shopping baskets and ecommerce, menus, and so on. But the discovery of Coinhive’s miner in Browsealoud points to the possibility that if a hacker could gain access to one plugin for malicious purposes, thousands of websites could suffer.
Plugin content typically resides on a remote server and sent to the target web page using a secure connection. The problem is that there is no real system to authenticate the actual content. Thus, someone with access to the content could easily inject malicious code, and the resulting websites using the plugin would serve up the malicious content despite registering the server as secure.
One method to fix this problem is called Subresource Integrity. It comprises of two HTML elements with an “integrity” attribute that relies on a cryptographic hash. If the number provided to the website doesn’t match the number associated by the content, then the website can catch and block the malicious code. Unfortunately, this isn’t a widely used technique, but the recent issue with Browsealoud may convince more websites to utilize the Subresource Integrity method.
Coinhive’s miner was reportedly only active in the Browsealoud plugin for a few hours before Texthelp pulled the plug. And although the outcome was apparently only to generate digital coin, the company still considers the hack as a criminal act.
“Texthelp has in place continuous automated security tests for Browsealoud — these tests detected the modified file and as a result, the product was taken offline,” Texthelp Chief Technical Officer Martin McKay said in a statement. “This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”
Texthelp is currently working with the National Crime Agency and the National Cyber Security Agency to hunt down the hacker(s).