Browsealoud script delivered Coinhive miner
On 2018-02-11 between 03:00 and 11:45 UTC, the official ba.js JavaScript file served from Texthelp's Browsealoud CDN was modified to embed an obfuscated Coinhive Monero miner that ran in visitors' browsers.
Story
Browsealoud was a third-party accessibility script. Thousands of sites loaded ba.js from Texthelp, including public-sector and government pages. On February 11, 2018, that shared script became the delivery point.
The altered file wrote Coinhive mining JavaScript into pages that included it. Visitors did not lose money or credentials, but their browsers performed cryptocurrency mining for the attacker, burning CPU, battery, and trust.
Texthelp took Browsealoud offline after the compromise was reported. The NCSC used the incident to point administrators toward a simple lesson: third-party JavaScript executes with the authority of the page that includes it.
The defenses were old and still neglected. Subresource Integrity can pin a static script to a known hash. Content Security Policy can constrain where code may load from. Without those checks, one supplier file became code running across thousands of unrelated sites.
Affected Artifacts
- Observed
- 2018-02-11
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Affected Browsealoud artifact was ba.js as modified on 2018-02-11.
Incident Context
- Motive
- Cryptojacking
- Attribution
- Group
- Cause
- Website Compromise
- Transitive
- Yes
- Actor
- Cybercriminal
- User Impact
- 4275
External References
- NCSC advice: Malicious software used to illegally mine cryptocurrencyncsc.gov.uk
- Browsealoud compromised to serve Coinhive minertheregister.com
- UK Government Websites, US Courts System Mass Compromised to Mine Cryptocurrencybleepingcomputer.com
- Protect your site from Cryptojacking with CSP + SRIscotthelme.co.uk
Source record: proprietary/browsealoud/meta.yaml