39 comments

[ 0.22 ms ] story [ 73.4 ms ] thread
How does this work?
See https://coinhive.com

It mines Monero using JavaScript. Best suited for sites where you sit on one page for a long time, and where there's lots of visitors.

Often, it turns out that it isn't the site owner doing it, but rather, they were hacked, and someone injected the JavaScript.

Yeah in Buenos Aires
I can't see how the security researcher's advice helps anyone.
It's both good general advice and complete nonsense, because people wouldn't see anything suspicious here. That, or public wifi is always suspicious anyway.
It's good advice but completely irrelevant to this incident.
This wasn't the first, and it won't be the last.

  https://twitter.com/imnoah/status/936948776119537665/photo/1
  https://www.theverge.com/2017/9/26/16367620/showtime-cpu-cryptocurrency-monero-coinhive
  https://wccftech.com/the-pirate-bay-cryptojacking-mine-monero/
  https://coinhive.com/
From Coinhive:

  *Ad-Free Content
  Run your site without ads

  Coinhive offers a JavaScript miner for the Monero Blockchain 
  that you can embed in your website. Your users run the miner 
  directly in their Browser and mine XMR for you in turn for
  an ad-free experience, in-game currency or whatever 
  incentives you can come up with.*
There's a Twitter threading site that does this too: https://twitter.com/tttthreads/status/922503320765218816
(comment deleted)
It was the WiFi provider not Starbucks. I'm guessing they were doing this at other cafes and hotels etc.
It was Starbucks’ wifi provider, selected by Starbucks and operating under Starbucks’ supervision. This is 100% on Starbucks, not on anyone else.
I do agree that Starbucks share responsibility but would you really say that 0% of the responsibility is with the person or people who actually set up the mining?
So you're saying never to trust 3rd party providers? It's one for the legal team I'd say; in this case Starbucks probably didn't provision for abuse or time spent in the wifi portal in the contracts. Might have a case for causing reputation damage.
If it were my business I'd absolutely say that. Doesn't mean you shouldn't USE 3rd party providers but you should be very careful. That's obviously not saying anything about legal responsibilities, of which I know nothing about.
meh

I'll take background mining over ads any day.

Users may bitch and moan now, but they'll come groveling back in no time. Their outrage is no match for their lack of attention span and need for free content. Soon enough background mining will be as un-newsworthy as banner ads.

I agree. Mining seems to hit the sweet spot, especially if it's only for a short period of time or a minimal amount of system resources.

You want to have free content and who likes ads? Mining instead of ads is a good idea. I mean many websites have video ads with autoplay that takes both resources AND bandwidth. The issue is that I believe many will do both.

Same. I would just like to know if a site is mining or not, if for no other reason than to optimize my battery life when I’m out.
Except that majority of PC users are on laptops, and mining in the background WILL make your fan go nuts, which is not what you want as a user. On my desktop - sure, I won't even notice. But on a laptop, where the fan stays off/low rpm when just browsing? Nope.
Battery life is an even bigger issue. I don't want to see ads, but I also don't want my phone or laptop's battery being drained so the site owner can get a few fractions of a penny.
If you don't use VPN, this is one more reason to make sure to exclusively use HTTPS.
HTTPS or not, the mining script will work
But the Wifi provider can't inject their own mining script on arbitrary sites with https.
That is true, but usually the wifi login portal is not under https, which seems to be what the article implies.
This wasn't injected though. It's a splash screen that pretends to load for 10 seconds (whilst mining) before forwarding the user on to some starbucks rewards site.
But they won't be able to inject the miner into HTTPS protected sites.
If you look at the screenshot of the code it isn't an injection. It's a deliberate redirect page put in to delay you for 10 seconds whilst they mine bitcoin.
I use my PC fan as a detector for nefarious scripts. If opening a site causes a fan to run at its peak for more than few seconds, I close it immediately or at least disable JS on it.
Why not just monitor CPU usage over time? Should be more or less the same thing, no?
It's funny because if your computer is plugged in at a Starbucks, they're mining with their own electricity. Whoever did this wasn't stealing from their customers nearly so much as they were stealing from Starbucks themselves.