browsealoud
Browsealoud accessibility script delivered Coinhive miner
On 2018-02-11 between 03:00 and 11:45 UTC, the official `ba.js` JavaScript file served from Texthelp's Browsealoud CDN was modified to embed an obfuscated Coinhive Monero miner that ran in visitors' browsers. Browsealoud is a text-to-speech and accessibility plugin embedded by ~4,200 websites worldwide; affected sites included the UK Information Commissioner's Office, NHS services, numerous .gov.uk and .gov.au domains, the US federal courts (uscourts.gov), and City University of New York. Texthelp's automated security tests detected the modified file and the service was disabled at 16:00 UTC; total exposure ~8 hours 45 minutes.
- Date
- 2018-02-11
- Category
- Commercial
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Cryptojacking
- Cause
- Website compromise
What Was Affected
Package
browsealoud
Languagejavascript
ComponentLibrary
Artifact typesource archive
Domain typevendor
Domain
browsealoud.com
Compromised Versions
- ba.js (Browsealoud, modified 2018-02-11)
Incident Context
- Motive
- Cryptojacking
- Attribution
- Cybercriminal
- Transitive
- Yes
- User Impact
- 4275
- Observed Duration
- 0 days
Evidence
Compromised Artifacts
External References
- ncsc.gov.uk/guidance/ncsc-advice-malicious-software-used-illegally-mine-cryptocurrency
- theregister.com/2018/02/11/browsealoud_compromised_coinhive
- bleepingcomputer.com/news/security/uk-government-websites-us-courts-system-mass-compromised-to-mine-cryptocurrency
- scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri
Source Data
Source record: proprietary/browsealoud/meta.yaml