Government websites hijacked by cryptomining plugin

Haythem Elmir


More than 4000 websites, including many belonging to governments around the world, were hijacked this weekend by hackers who managed to plant CoinHive code designed to exploit the computer power of visiting PCs and mine for cryptocurrency.

High profile websites impacted by the hack included the UK’s Information Commissioner’s Office, NHS websites, and even the homepage of the United States Courts –

The alarm was raised by British security researcher Scott Helme who posted details on Twitter as he found more and more affected sites, and narrowed down the problem to a popular accessibility plugin called « BrowseAloud » which helps make websites more accessible to visually-impaired internet users.

No doubt many public sector organisations found themselves hit by the poisoned version of BrowseAloud because of their obligations to comply with legal obligations to make their information accessible to people with disabilities.

Texthelp, the developers of BrowseAloud, posted an alert on its website and took the service offline:

At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber attack. The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act and a thorough investigation is currently underway.

Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday.

Things could have been much worse. Imagine if the plugin had been tampered with to steal login passwords rather than steal CPU resources from visiting computers.

Whenever you use someone else’s code on your website you’re often increasing your attack surface. If a hacker wants to infect four thousand websites it’s likely to be a lot less effort tamper with one third-party script which is used by four thousand websites than compromise each website one-by-one.

To read the original article:


Laisser un commentaire

Next Post

Facebook lance le bouton « downvote » pour dénoncer des contenus inappropriés

Pour mieux gérer sa modération, Facebook lance un bouton « Downvote » qui permet de déclasser des commentaires. C’est pour l’instant en phase de test sur certaines pages utilisateurs aux États-Unis. « Nous ne testons pas un bouton « Je n’aime pas » ». La déclaration d’un porte-parole de Facebook à Techcrunch […]