Showtime Won't Explain Why Its Website Was Hijacking User Browsers To Covertly Mine Cryptocurrency

from the whoops-a-daisy dept

Showtime’s websites recently began covertly hijacking user browsers to mine cryptocurrency, and neither Showtime nor its parent company CBS appear interested in explaining how or why it happened. The code in question — a bit of JavaScript dubbed Coinhive, was embedded in two different Showtime domains: Showtime.com and Showtimeanytime.com. When a visitor visited these domains, their browser was hijacked and their computer was forced to help mine Monero, a new privacy-centric alternative to bitcoin currently valued at around $92 each.

The mining software was first noticed by a Twitter user who discovered the Coinhive miner buried early on in the source code:

Users weren’t alerted that this was happening, and visitors reportedly found the mining software utilized up to 80% of a visiting user’s CPU cycles. Such miners can also notably drain battery life for visitors on mobile devices. And as of this writing, Showtime has been completely unwilling to confirm that this occurred, much less explain how the code appeared. The company has refused to respond to numerous requests for comment from a myriad of websites, Techdirt included. The code appeared in the evening of September 23, and had disappeared by the next Monday morning.

It seems relatively unlikely that executives or developers at Showtime thought it would be a good idea to hijack the browsers of potential customers to mine cryptocurrency, leading many to believe that Showtime’s servers were likely hacked by somebody looking to covertly make a little extra money:

“The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers’ pages, so the code must have come from another source ? or was injected by miscreants who had compromised Showtime’s systems.”

That said, it’s not impossible that Showtime was running an experiment. Cryptocurrency miners have been making headlines in recent weeks after The Pirate Bay was caught also covertly using Coinhive to hijack visitor browsers to make extra bank. Coinhive only just launched September 14, advertising itself as a creative alternative to the traditional advertising model. But after users over at the Pirate Bay subreddit discovered the practice and began to complain, the website was forced to pull the software from its code and issued a relatively flimsy mea culpa:

“As you may have noticed we are testing a Monero javascript miner. This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running.”

Except covertly hijacking a browser with glorified malware obviously isn’t a great way of “keeping a site running,” especially if websites running to embrace Coinhive refuse to let users opt out — much less inform them this is even happening. Not surprisingly, the recent rise in such stealth cryptocurrency miners has resulted in Adblock Plus moving to help block such hijacks. Malwarebytes analyst J?r?me Segura warns in a blog post that some websites appear unsurprisingly intent on “pushing the limits towards a really bad user experience”:

“Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience. The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.”

Again, there are creative alternatives to advertising, and then there’s just being an asshole. Hijacking a visitor’s browser, CPU and electricity to mine cryptocurrency without informing them — or letting them opt out — sits firmly in the latter category.

Filed Under: , , , ,
Companies: cbs, showtime

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Showtime Won't Explain Why Its Website Was Hijacking User Browsers To Covertly Mine Cryptocurrency”

Subscribe: RSS Leave a comment
42 Comments
Machin Shinsays:

Interesting idea though

Sadly the bad actors are going to kill all chances of it working, but does make me wonder.

What if you ran a site and just had clean banner at the top politely asking people to please run the miner to support you? It could actually be a good alternative to ads… So long as it is done clearly upfront and Opt-in only.

Anonymoussays:

Re: Interesting idea though

That is an interesting idea. Can these miners limit the amount of CPU usage they use? Or let the user determine how much of the CPU is used?

I’d like to see the math on that and compare it to ad revenue. Would it be more? Less? Equal to?

I loath ads with every fiber of my being. But I would definitely volunteer some CPU time during my visits.

Anonymoussays:

Re: Re: Interesting idea though

Rightly so, same should be done to showtime, but the problem is that tidbit is in the wrong class of humans.

Any website that runs code that performs work to consume resources at the expense of the consumer, especially without any notice/permission, is against the CFAA.

As a user I expect to pay for the electricity and my costs to connect to the infrastructure and to consume bandwidth to display/interact with the services that a website is offering. The moment they start consuming any of my resources to make them money without first obtaining explicit permission then they are criminally liable for every watt my CPU consumes crunching their code!

I am okay with this replacing ads, but only as long as I am notified that my machine is now being used like this and given a choice to participate or not!

It should be illegal for a website to require someone to allow their computer to become a botnet, even it temporary, to consume a website!

Anonymoussays:

Re: Re: Re: Interesting idea though

Any website that runs code that performs work to consume resources at the expense of the consumer, especially without any notice/permission, is against the CFAA.

This has the makings of a very entertaining slippery slope. Suppose a website could lay out its content properly, as a static page on the server, which is then sent verbatim to clients; or they could indulge their JavaScript addiction and make the client do all the work laying out the page. The latter will be slightly more CPU efficient for the server (although globally much less efficient since each client would perform the work independently, rather than asking the server to do it once), thus saving them money by requiring the client to perform extra work to use the page. Frequently, such client-side rendered pages are at best equivalent, and usually far worse, user experience than doing it properly on the server (hence satisfying your "at the expense of the consumer"). Would that rise to a CFAA claim under your standard? It feels like it shouldn’t, but it’d be greatly entertaining if it did, because then most Javascript addicted sites could be chased for CFAA. ­čśÇ

TripMNsays:

Re: Re: Re: Re: Interesting idea though

All modern web frameworks that work as single page apps (Ember, React, Angular) do just what is being talked about. They render the HTML once, and then only send JSON data blocks back from the server and the browser/JS does the unpacking and processing and re-rendering.

If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.

BTW, “asking the server to do it once” is mostly incorrect except on the simplest web pages because injecting any amount of personalization into a page requires the server to render the page for each user.

Anonymoussays:

Re: Re: Re: Re: Re: Interesting idea though

Your points are valid wrt any actions initiated by the user … however it appears that the article is discussing other non user initiated activity performed upon user’s machine without their knowledge/consent.

What would happen if the unnecessary activity initiated by the website visited by a user who is not aware of said activity … were to be found illegal? Who is responsible? How does said user defend against this?

Anonymoussays:

Re: Re: Re: Re: Re: Interesting idea though

“If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.”

Remember, CFAA explicitly states that any usage of a computer that gains access without authorization or attempts to perform a task that exceeds current authorization is abuse.

A website running code to perform its function for serving up content is legit for the obvious reasons. However, the point where the code is now executing something that is “not useful” to that purpose means they exceeded authorization.

Just visiting a page is NOT authorization to just run any code on the visiting machine.

I think the problem here is that once again, we allow companies too much latitude in what they do, just throwing the doors wide open until the abuse is TOO obvious to the point where pretzel logic cannot defend it. This is what created the problem of IoT vulnerability.

Imagine if a store asked all of its customers to process a mathematical equation when they enter the door or face getting kicked out. The more we allow this to continue, the more slippery that slope gets.

Anonymoussays:

Re: Re: Re: Re: Re: Interesting idea though

All modern web frameworks that work as single page apps (Ember, React, Angular) do just what is being talked about. They render the HTML once, and then only send JSON data blocks back from the server and the browser/JS does the unpacking and processing and re-rendering.

Actually, my experience has been that they render the HTML exactly zero times, then send a blob of Javascript to the client to construct the page. That’s what causes them to be so utterly broken for users who wisely block Javascript. If they did it right, the Javascript would be a progressive enhancement on top of an already usable page. Most sites instead do it dead wrong and make the page totally unusable unless you pull in untrusted scripts from half a dozen different servers.

Personally, I never authorize any site I visit to run Javascript on my computer. Under the frequently twisted interpretation of the CFAA, since I don’t want it to happen, and yet it happens, it must be a CFAA violation. ­čśë

If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.

I know. I can dream though.

BTW, "asking the server to do it once" is mostly incorrect except on the simplest web pages because injecting any amount of personalization into a page requires the server to render the page for each user.

Sure, personalization requires customization. That’s obvious. But how often are personalized pages actually necessary when viewing content that is functionally identical across all users (e.g. listing of current news or thread titles in a forum)? There are way too many sites that have decided that everything that could possibly be personalized must be, whether or not it makes any sense.

ShadowNinjasays:

Re: Interesting idea though

…I don’t know about you, but I keep literally 10+ tabs open at a time.

What would happen if all 10 of those sites tried to make my computer mine crypto-currency for them?

Even the best computers would probably choke and crash under that onslaught.

Or the computer’s anti-virus would start alerting the user like crazy that someone’s trying to inject malware on your computer.

Anonymoussays:

Re:

I’m not Mike Masnick, but I’ve blocked Javascript in my browsers for many years now — only allowing it permanently from a few dozen sites, only allowing it temporarily on a limited basis. Yes, this sometimes breaks things, and yes, there are a lot of sites that pull Javascript from WAY too many sources (Techdirt appears to be using 16) but rampant abuse has made it necessary — just as it’s become necessary to block all advertising.

Eldakkasays:

Re: Re: Re: Re:

ditto.

Been using javascript blocking for years. In the early days I’d have JS disabled entirely in the browser, then used addons that added a button to disable/enable it, then later ones that allowed per-site, then still later the more advanced ones like noscript, policeman, umatrix, and so on that allow blocking not just on the site, but subdomains, cross-site, and so on.

Anonymoussays:

Re:

I think i’ve seen Mike link to sites that don’t work without JS. He must have it enabled. But I don’t and Techdirt still works. Lots of sites haven’t tested obviously–sometimes the pages are just blank or "links" don’t work, sometimes you get an "enable javascript" message (don’t–it only encourages them).

Anonymoussays:

I'd love to see the disclaimer for this in the future...

“This website uses embedded crypto-currency mining software the borrows from your computer’s processing power. Please be aware that by visiting this website you agree to help us generate swaths of grey market currency while driving up your energy consumption, reducing the responsiveness of all your other programs, and possibly hurting your net bandwidth usage.

Also something something tracking cookies

[[I Accept]]”

Yes, I know I'm commenting anonymouslysays:

Get used to it

Tim Berners Lee recently enabled corporations to to this without you being allowed to find out..
It is called EME in combination with DMCA 1201. See https://boingboing.net/2017/09/18/antifeatures-for-all.html

Once the corporate overlords understand the process it will be everywhere.
Maybe then there will be some political pushback.

That One Guysays:

Re:

All along you are saying "the legacy industry should learn from piracy". Now they do, and you are upset.

A statement as stupid as ‘You were complaining that the restaurant didn’t have good food, and now that they’ve taken to adding a $20 charge to the bill because screw you you’re upset?’

Or how about ‘People were complaining that movies were too expensive, and now that they’ve decided to just download them for free you’re upset’, would you accept that as valid?

Assuming it was done by the ones running the site itself(possible, and their refusal to explain anything certainly isn’t helping) then ‘Ads aren’t bringing in as much, let’s hijack our visitor’s system resources‘ is not a valid response, whereas being upset about a site serving up malware most certainly is.

Whether or not The Pirate Bay did something similar is besides the point, it wasn’t acceptable then, and it’s not acceptable now, so once again your attempt at a ‘Gotcha’ falls flat.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop ┬╗

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...
This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it