back to article UK ICO, USCourts.gov... Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned

Thousands of websites around the world – from the UK's NHS and ICO to the US government's court system – were today secretly mining crypto-coins on netizens' web browsers for miscreants unknown. The affected sites all use a fairly popular plugin called Browsealoud, made by Brit biz Texthelp, which reads out webpages for blind …

Page:

      1. Doctor Syntax Silver badge

        Re: Don't load third-party scripts

        @veti.

        5. If it's marketing driving this adopt some combination of 1 and 2 and charge the work to their budget.

        1. bombastic bob Silver badge
          Devil

          Re: Don't load third-party scripts

          6. Come, look at this marvelous view from the ginormous 3rd floor office window...

      2. bombastic bob Silver badge
        Devil

        Re: Don't load third-party scripts

        "3. Avoid scripts entirely."

        you need to sell this better.

    1. Random Handle

      Re: Don't load third-party scripts

      > Concretely, what this means, is that they should host their own instance of the service

      That messes with Browsealoud's business/licensing model - and it's far from a cheap product. Browsealoud pre-dates the (W3C) Web Speech API which is supported by all current browsers, trivial to implement and should have made the product redundant anyway.

  1. cantankerous swineherd Silver badge

    JavaScript. just say no.

    1. sabroni Silver badge

      It's the implementations that are the problem, not the language. If you don't know how to use it properly that's your fault.

      1. Anonymous Coward
        Anonymous Coward

        I think the point is you shouldn't need JavaScript in a web browser in the first place.

        JavaScript was created when HTML was primitive, as a means of extending a web sites capabilities, and usability etc.

        You 'should' now be able to do everything in HTML/CSS, and that includes anything dynamic. If there is something that you can't do in HTML/CSS currently, that needs JavaScript, then HTML/CSS should be extended to add that functionality, assuming it's valid of course.

        I'd love to see a time when all the wiizzy stuff can be done without needing to revert to JavaScript, at that point JavaScript could be deprecated, and not just disabled in web browers, but actually removed from the code completely.

        AC as I work in a dev area that heavily uses JavaScript, and they know me on here :-)

        1. bombastic bob Silver badge
          Devil

          "I think the point is you shouldn't need JavaScript in a web browser in the first place."

          I really wish I could do this 100% of the time. But then, if the customer needs 'google maps' embedded on the page, for whatever reason, you can just have a *teensy* bit of script to support it.

          So I guess I'd re-state that: "You shouldn't need any more than a tiny bit of JavaScript, if any at all, in a web browser in the first place"

        2. albaleo

          If there is something that you can't do in HTML/CSS currently, that needs JavaScript, then HTML/CSS should be extended to add that functionality, assuming it's valid of course.

          It's Monday, so forgive me if I sound a bit dense. I'm charged with developing a web application that, among other things, has various fancy chart gizmos. These charts are expected to change their appearance at the touch of a button - switch from column charts to bar charts, provide popups for every data point on hover, change the confidence level curve when the user wants to switch from 90% to 91% to 92% confidence, allow the user to change the colors used, etc. The application basically loads all the needed data in the browser, and then the entire interface is controlled with Javascript. Is there any feasible way to do this kind of thing with html and css?

          (Some of you may think this is not the appropriate use of a browser. I don't disagree. But clients don't want to install desktop applications. It's been this way for almost 20 years. Screamed at for using Flash, and I'm pretty sure I'll be screamed at soon for using Javascript. )

    2. JLV Silver badge
      Thumb Up

      >JavaScript. just say no

      Am I correct in assuming the 19 upvoters have turned JS off globally in their browser? Have NoScripted El Reg entirely? Or are vistiting via Lynx?

      Most impressed!

  2. Jack of Shadows Silver badge

    I'm waiting for one of these third party inclusions that takes advantage of a working Spectre javascript exploit. Hacking just the right third party code would end up pwning an impressive count completely invisibly.

  3. Anonymous Coward
    Anonymous Coward

    One word: No script

    1. Keef

      One word would be NoScript.

      No script is two words.

      I guess counting ain't your thing Dear AC.

      1. Anonymous Coward
        Anonymous Coward

        > I guess counting ain't your thing Dear AC.

        Oh! He's zero-based.

    2. Adam 1 Silver badge

      wouldn't have helped most folk

      Most folk who use no script do not block each and every JavaScript. They rather block by default, then whitelist either sites you trust, or specific scripts or whatever. In this specific circumstance, a lot of the sites would have been trusted, and even going through the details, is a JavaScript for a known screen reader going to set off any alarm bells?

  4. Phil Endecott Silver badge

    > Just about every non-trivial website on the planet loads in

    > resources provided by other companies and organizations

    Really? OK, adverts. But other than that? Surely at least many of them are self-contained. I hope.

    If you are going to use 3rd-party code, you've got a difficult decision to make: import it from the 3rd party when the page loads and you're vulnerable to the 3rd party going down, getting hacked etc. But on the other hand, if a security issue is found then they may be able to fix it without you having to take any action. Copy the code to your own server and you'll find you've not kept up with updates and you get hacked....

    1. Doctor Syntax Silver badge

      "Copy the code to your own server and you'll find you've not kept up with updates and you get hacked."

      Why are so many updates required (it seems to be a given in a number of comments)? If it's because the code is a bundle of bugs you'd be better off not having it. If it's because of new "features" (did someone say Agile?) then those updates may be adding more vulnerabilities, not removing them.

      1. sabroni Silver badge

        If you've tested your site and it functions correctly why would you auto deploy updated dependant files? How do you schedule regression testing? Watch all the third parties for when they change? May as well host the files yourself. You can't be serious about your site is you'll let multiple third parties update bits of it independently...

  5. Anonymous Coward
    Anonymous Coward

    HOSTS

    I created a custom HOSTS file based off of popular open sourced mining blockers like this one:

    https://github.com/keraf/NoCoin/blob/master/src/blacklist.txt

    1. Anonymous Coward
      Anonymous Coward

      'I created a custom'

      Ignore the 'coin mining messages' in the background? :xd

  6. Pen-y-gors Silver badge

    Signature?

    An interesting idea.

    If a scumbag-in-the-middle is 'enhancing' code as it flies down the fibre from the CDN to your server, then signatures could be useful. But if the miscreant has managed to corrupt an official upgrade somehow then you're still stuffed.

    There are times I have happy dreams of going back to debugging 10,000 lines of COBOL in the daily accounts overnight batch job. Life was simpler then...

    1. Claptrap314 Bronze badge

      Re: Signature?

      Apparently, you don't understand how signatures work. The keys are referred to as the "crown jewels", and held MUCH more tightly than what they sign. Of course, a complete compromise of your network will (probably) get them, but not all hacks get that far. In particular, you can hack the site that hosts my code all day long, you won't get anywhere near my hosts with my keys.

      When China got insiders and exflitrated data from Google, the crown jewels were not touched. And that was before Google started to talk seriously about security.

  7. Anonymous Coward
    Anonymous Coward

    ICO web site down?

    Don't worry, no one will notice if it never comes back online.

    As for OFCOM, we can only...

    1. Pedantic Twat

      Re: ICO web site down?

      Would you Adam and Eve it - I had to write an article on GDPR this morning so I noticed! Grrrr. It came back about an hour ago.

  8. Anonymous Coward
    Anonymous Coward

    Is it just me?

    Or does the linked search site URL look like it's one to avoid:

    https://publicwww.com/websites/browsealoud.com/plus/scripts/ba.js/

  9. onefang Silver badge

    Is it just my dirty mind that saw cunny.edu, escorts.gov, and lu.ser?

  10. Nigel Whitfield.

    No surprise

    Much though the fans of crypto currency would like to ignore it - and setting aside the security issues that lead to this particular incident - isn't stuff like this an almost inevitable consequence of the way crypto currencies work?

    If you create a system that is based on the premise of "swap processor time for currency" then there are going to be a lot of people who will try to find ways to grab time on other people's processors, for their own gain. Whether it's hacks like this one, emailed worms, or something else, the incentive is going to motivate many people to have a try, and get "free" money.

    1. Alan Brown Silver badge

      Re: No surprise

      "If you create a system that is based on the premise of "swap processor time for currency" then there are going to be a lot of people who will try to find ways to grab time on other people's processors, for their own gain. "

      This was one of the biggest worries of the camram-spam mailing list around 20 years ago - and in that case the currency (hashcash) was "merely" the ability to deliver email.

  11. This post has been deleted by its author

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019