More than 4000 websites, including many belonging to governments around the world, were hijacked this weekend by hackers who managed to plant Coinhive cryptocurrency-mining code designed to exploit the resources of visiting computers.
High profile websites impacted by the hack included the UK’s Information Commissioner’s Office, NHS websites, and even the homepage of the United States Courts – uscourts.gov.
The alarm was raised by British security researcher Scott Helme who posted details on Twitter as he found more and more affected sites, and narrowed down the problem to a popular accessibility plugin called “BrowseAloud” which helps make websites more accessible to visually-impaired internet users.
No doubt many public sector organisations found themselves hit by the poisoned version of BrowseAloud because of their obligations to comply with legal obligations to make their information accessible to people with disabilities.
Texthelp, the developers of BrowseAloud, posted an alert on its website and took the service offline:
Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday.
Things could have been much worse. Imagine if the plugin had been tampered with to steal login passwords rather than steal CPU resources from visiting computers.
Whenever you use someone else’s code on your website you’re often increasing your attack surface. If a hacker wants to infect four thousand websites it’s likely to be a lot less effort tamper with one third-party script which is used by four thousand websites than compromise each website one-by-one.
For further discussion of this issue be sure to check out this episode of the “Smashing Security” podcast: