Popular Chrome Extension Embedded A CPU-Draining Cryptocurrency Miner (bleepingcomputer.com) 76
An anonymous reader writes: SafeBrowse, a Chrome extension with more than 140,000 users, contains an embedded JavaScript library in the extension's code that mines for the Monero cryptocurrency using users' computers and without getting their consent. The additional code drives CPU usage through the roof, making users' computers sluggish and hard to use.
Looking at the SafeBrowse extension's source code, anyone can easily spot the embedded Coinhive JavaScript Miner, an in-browser implementation of the CryptoNight mining algorithm used by CryptoNote-based currencies, such as Monero, Dashcoin, DarkNetCoin, and others. This is the same technology that The Pirate Bay experimented with as an alternative to showing ads on its site. The extension's author claims he was "hacked" and the code added without his knowledge.
Looking at the SafeBrowse extension's source code, anyone can easily spot the embedded Coinhive JavaScript Miner, an in-browser implementation of the CryptoNight mining algorithm used by CryptoNote-based currencies, such as Monero, Dashcoin, DarkNetCoin, and others. This is the same technology that The Pirate Bay experimented with as an alternative to showing ads on its site. The extension's author claims he was "hacked" and the code added without his knowledge.
Re: (Score:1)
The extension's author claims he was "hacked" and the code added without his knowledge
your intellectuality bankrupt.
Head explodes* *
Though wrong in this case... good model? (Score:3, Insightful)
This hack was clearly wrong, but is the idea of intentionally using a cryptocurrency miner to profit from the writing of an extension a wrong one?
I think it would be interesting for websites and extensions to expand to giving a choice of at least three ways of paying for premium access. We already have a choice between paying a monthly fee or accepting advertisements on many sites. If given a third choice of allowing some of my CPU time to be utilized by the site or extension for cryptocurrency mining - at least on my plugged in laptop - I would choose to allow mining as long as it didn't peg my CPU and it was good at backing off when I had real needs.
In fact, with many websites I would love to have the option of allowing cryptocurrency mining to pay for it. It would be great if an efficient miner was built into the browser that could be utilized via some standard and has solid permission protection.
On a desktop it makes sense (Score:3, Interesting)
Re: On a desktop it makes sense (Score:1)
Same goes for over 90% of the computers my employer uses, if they are even dual core. I don't think quad core machines are that prevalent outside of more affluent communities and the enthusiast market. was not found on this server.
Re:On a desktop it makes sense (Score:5, Interesting)
the cost of the electricity is pretty minimal.
My computer at idle uses about 70 watts. At full load, it uses about 175 watts. Over the course of a year, the cost of that difference is typically at least $100 (several times that in some areas).
But even if you only have your computer running this for an hour a day, what even worse is how much a waste it is. Mining is very intensive. GPU and specialty hardware is sometimes profitable. CPU mining with optimized native code is NOT. CPU mining with something as inefficient as javascript is totally like flushing money down the drain. Sure, it's profitable for the thieves embedding this in banners and extensions because they have no investment in the cost (in the same way that it's profitable for a thief to smash a $100 window to grab the $5 bill you left on you seat). But as a means of "you run this code on your computer and I'll consider it payment", its a gigantic waste. You're better off just saying "paypal me 3 cents and I'll let you use my stuff for a year". Your profit will be about the same off that customer, the customer will save a ton of money, and you won't be destroying the environment in the process.
The problem is getting that 3 cents (Score:2)
Re: (Score:2)
Not everyone wants to log into some payment system and type in their details per site. Enter their details, CC number.
Confirm the payment and then do that again for the next site and next site.
A third option to just directly connect to a site and use their mining option removes the payment system, CC layer.
Why pay for a third party payment gateway too?
Re: (Score:2)
You do work, you are entitled to the dividends from that work, your stuff does work, they are entitled to the dividends from that work. You are not only stealing users resources but the outcome of those resources. Claim value in that crypto currency and by your definition, you have stolen capital value as well as resource use.
More interesting how many people believe the author of the extension and obviously the code should show where the proceeds of crime were sent.
Re:Though wrong in this case... good model? (Score:5, Insightful)
That's the same thing as paying for the extension, except instead of paying for it directly, you're paying for it indirectly via a higher electric bill. I (and I think anyone who really thinks this through) would rather pay a one-time fee to purchase the software/extension/access, instead of paying continuously for it every time I'm using my browser via a higher electric bill which works out to an indeterminate total sum.
Even if you're not paying for your electricity directly (your rent includes utilities), you still end up paying for it. If the landlord notices the electric bill is consistently higher, he'll just make your next rent increase a little higher. So you'll be paying a higher rent which pays a higher electric bill which pays for the software/extension/access. Burying expenses in this way under multiple layers of misdirection is how you nickle and dime people to death, and thwarts normal market forces by hiding the true cost of buying/using something.
If you don't like how much it costs to buy certain software or access, don't use it.
Re: (Score:3)
Re: (Score:2)
I'm running it on my machine at the office.
What? If the company made bigger profits it would pay me more?
Of course they would!
Re: (Score:3)
I'm running it on my machine at the office.
What? If the company made bigger profits it would pay me more?
Of course they would!
And you got your company's permission first right? I mean people have been arrested in the US for doing this.
Re: (Score:2)
What? If the company made bigger profits it would pay me more?
It is unlikely they would pay you more, but it is likely they would hire more people. Profitable companies grow (so they can make more profit).
Re:Though wrong in this case... good model? (Score:5, Insightful)
Companies don't hire people because they're making a profit. They hire people when, despite the threats & floggings, the existing workforce can't do the work needed.
Re: (Score:1)
tldr: Unidentified person claims that generalization doesn't apply in his specific situation; backs it up with anecdote.
Re: (Score:2)
Re: (Score:3)
Hi. Stuff costs money. There is no free lunch. I know we pretend ad-supported stuff is free, but obviously it is not. Assuming the economics of ad-supporter stuff actually does work, then users are spending more on shit they otherwise wouldn't have purchased by at least as much as the "free" stuff costs to make.
Re: (Score:2)
That's the same thing as paying for the extension, except instead of paying for it directly, you're paying for it indirectly via a higher electric bill. [...] Burying expenses in this way under multiple layers of misdirection is how you nickle and dime people to death, and thwarts normal market forces by hiding the true cost of buying/using something
I agree, but it should be pointed out that the same is true of ad-supported sites. There is a cost for producing ad-supported content, and it's paid for by the advertisers, who in most cases pay for it by charging higher prices than they would otherwise. So, it's also a payment mechanism with multiple layers of indirection. One that has proven extremely useful and effective, and one that is quite progressive in the sense that generally it's the people with plenty of money who end up paying the bulk of the c
Re:Though wrong in this case... good model? (Score:5, Informative)
Miners are now migrating to ASIC based rigs because GPU arrays aren't cutting it anymore, how efficient do you think a Javascript based software that "doesn't peg your CPU" is going to be? It's a gigantic waste of electricity, nothing else.
Re: (Score:1)
When someone else is paying for the electricity efficiency doesn't matter.
Re: (Score:2)
That is why I suggested the facility should be implemented by the browser with a secure standardized interface. Then it can be written in C++ and be highly optimized. Furthermore, the browsers already utilize the GPU, so it could utilize that too. I could even imagine if the model were widespread that computer makers might try to differentiate themselves by providing special circuitry.
This is not something where we'd be looking to provide for $100 worth of mining time per month from every user to pay for ex
Re: (Score:2)
Miners are now migrating to ASIC based rigs because GPU arrays aren't cutting it anymore, how efficient do you think a Javascript based software that "doesn't peg your CPU" is going to be? It's a gigantic waste of electricity, nothing else.
It depends on the coin you are mining. Some are designed to resist ASIC mining, others are small enough that the difficulty levels are still low enough to make it worthwhile.
Re: (Score:3)
Re:Though wrong in this case... good model? (Score:4, Insightful)
In fact, with many websites I would love to have the option of allowing cryptocurrency mining to pay for it. It would be great if an efficient miner was built into the browser that could be utilized via some standard and has solid permission protection.
Shhhh! Don't let Apple or Microsoft hear you. They already think that they own your PC/phone and can monetise it as they see fit. They could make a lot of money from crypto-currency mining on millions of machine world wide.
Re: (Score:3)
Re: (Score:2)
The extensions could set a price, not a "share", expressed perhaps as some number of calculations per second while the extension is active. That price would be made known to the user. I would expect it to typically be something that would result in pennies per month of revenue from a user. Extensions would be pressured to keep that down by users who would have to turn extensions off or pay in some other fashion if the overall budget was being exceeded. Frankly, even my quad core GPU equipped desktop replace
Re: (Score:2)
The thing you're ignoring though - it will end up just like it is now, with ads plastered everywhere AND they expect you to run their miner or not use their stuff/visit their page. Also, there is way too much room for abuse, everyone and their uncle will shove their stuff in no matter what any "spec" says they are allowed to do/should do.
Re: (Score:2)
There is zero information about a user contained within the results of cryptocurrency mining operations. The result is simply cash or a piece of the puzzle necessary to create cash.
Furthermore, the current system is fully based not only on the hijacking of our computer resources but on the attempted hijacking of our attention and thoughts... is the data transmission, cpu cycles, memory, screen real estate, etc used up to display ads free? We pay in many insidious ways via the current system. I suppose some
Breaking news! (Score:2)
This just in: the next release of Firefox will have an extension that contains an embedded JavaScript library in the extension's code that mines for the Monero cryptocurrency using users' computers and without getting their consent.
Re: (Score:2)
Whatcoin? (Score:3)
Serious question: I have not heard of a single one of these cryptocurrencies. They can only be in use by a tiny fraction of people compared to the Bitcoin community, which is already a very small, self-selecting minority. How can these random cryptocurrencies possibly be worth anything?
I mean ... we all know money is a fiction, right? So how can a cryptocurrency have any value if nobody will even accept it as a medium of exchange?
Re: (Score:2)
how can a cryptocurrency have any value if nobody will even accept it as a medium of exchange?
It couldn't. So if we accept that these currencies have a valuation, then the likely explanation is that people exist who are willing to buy the currency at (roughly) that price.
Well, either that or someone is making up a price to see if they can find someone willing to buy at that price; but the likelihood of "imaginative pricing" diminishes as the number of buyers and sellers increases.
Consider (Score:5, Informative)
Like I said in one of the previous articles, I am not totally opposed to the concept, as long as it is done right. But there are things to consider:
1) Laptops: battery life is critical
2) Mobile: battery life is critical
3) Virtual: Does the guest really know the host is "idle" or expecting such a load?
4) Noise: I don't necessarily want my computer that is in my living room ramping up all CPU's and making lots of fan noise
5) Power: You might not think it uses more power, but it absolutely does. I see it on my UPS which tells me exactly how many watts my system is using based on CPU load.
6) Waste heat: And in the summer, I have to pay to remove that heat too through the A/C.
7) Work: Just because it is a computer you are using, doesn't mean it is YOUR computer or YOUR power. Do you have permission from the actual owner(s), not just the user?
8) Multiuser: Yep, there actually are still such systems, and CPU load matters in such environments.
9) Other tasks: I have other things going on sometimes that I want done in a timely manner and don't want anything competing for those CPU resources.
10) UPS: And even with a desktop or server, will it have control to stop the load when it is suddenly on battery because the mains were lost? Runtime/uptime might matter.
11) Wear: Believe it or not there is actually "wear" when a CPU operates, and the more it operates, the more wear. The fans have to spin up faster, the transistors create heat which degrades the chip, the thermal connections, puts stress on the board or socket or other components, pulls more power from the power supply, etc.
It could be a useful tool, but only if it explicitly allows a user to control every aspect of how and when CPU is used. Is the user is made aware of exactly what it is doing and why? Is there is a UI that allows the user to set amount of CPU, priority, perhaps how many cores or threads, and when it could be used? I doubt what I just listed is compatible with all the models that this new "panacea" of questionable "revenue" of side-line mining brings.
Donating "unused" CPU power is nothing new. I did it decades ago for various scientific research. But I also did it completely under my control and with full knowledge about the effects.
Re: (Score:2)
>" and to be frank, you have total control over which website you go to."
Far less control than intentionally installing a client (which was open-source) and it also had full settings/preferences. In contrast, how do you know which sites NOT to visit until you go there AND notice what they are doing?
>"Else, they will continue to use adblock to stop both ads and miners for now."
Interesting concept, perhaps ad blockers will evolve to also handle mining. But it might be more difficult than blocking ads,
Another Reason to Avoid Apps Whenever Possible (Score:2, Insightful)
Further illustrates the risk of downloading any app. Even an app that's trusted today could become something entirely different after an update. To make matters worse, many smartphones are configured to update apps automatically. Though, even manual updating is no panacea, since often such security issues don't come to light until months later, if ever. So again, it's best to avoid apps whenever possible. Uninstalling or disabling apps not being actively used.