Politifact Sees Unsactioned Introduction of Web Miner, Vows to Investigate

[Raevenlord]

This here is an issue that this editor has been fearing for a while, and that we here at TPU have called our users' attention to in the past. It's bad enough when websites willingly implement web mining scripts absent of users' consent or simple knowledge. Opt-in mining as a contribution to a website's revenue would be the best way to go around the issue; however, absent that, a simple opt-out capability wouldn't be much worse. But if stealth usage of a site viewers' computing resources is bad, what then can be said when the site managers themselves are unaware of the implementation of a web miner?

This is what happened with Politifact, the US politics fact-checking website, which is but one of hundreds of the world's top traffic websites that have seen the stealth introduction of these web mining scripts - against the will of the site managers. In the meantime, Politifact has brought down the offending code and has vowed to investigate, but this opens up Pandora's box, really. Generally speaking, these JavaScript apps are running code hosted on another server that the end user - and sometimes even the site hosts - can't inspect or don't expect to have to inspect. And this is easier to do than one would imagine; there's a lack of protection against JavaScript routines like this one. And where there's potential for profit, there's abuse; and that's what we're seeing. It also doesn't help that injecting the necessary JavaScript into the front page of a website is much easier than a full blown hack into a website's databases; and once the code has been shoehorned into a website's code, it runs itself, hijacking users' CPU cycles and putting the resulting Monero coins into a designated wallet.





Ad-blocker company AdGuard has released a blog post in which they presented some results on the state of web mining; in it, the company found that 220 websites launch mining algorithms when a user opens their main page - and these aren't your end of the Internet websites. These are estimated to boast of an aggregated audience of 500 million people from all over the globe - the Internet is mostly borderless, for everything that's positive about that - and negative. And this has happened in barely more than a month - Coinhive started offering their "mining as a service" code just a month ago, in the 14th of September. AdGuard estimates that these 220 sites' joint profit currently stands at over US $43,000. Those aren't millions - yet. But keep in mind this is money that has been made in three weeks at almost zero cost.



As we've mentioned before, if you want to be protected from such shenanigans, use an adblocker. These usually get the job done in blocking those extraneous bits of code, and will generally be enough to block this kind of scripts. uBlock Origin, AdBlock, AdGuard, or even some mining-specific blockers like AntiMine, NoCoin, and others. The choice is yours. Web based mining, however, is increasingly looking to be a dark cloud for users' rights on the Internet, and while the problem is a mere smoke column on the grand scheme of things right now, expect this trend to spread like wildfire.



View at TechPowerUp Main Site

 

[Rehmanpa]

Wonder how long till tweaktown adds this to their jumbled mess of ads ;P

 

[Solaris17]

I KNEW IT
Pirate Bay Mines Coins in Your Browser - Revenue Model of the Future?

 

[DeathtoGnomes]

yea cuz what mega site cares about users right when it comes to their profit. facebook will attempt this too if it hasnt already.

 

[remixedcat]

and next these same companies that mine will blather on and on about climate change BS...

 

[Dave65]

and next these same companies that mine will blather on and on about climate change BS...

You really went there?

 

[Jism]

As a webdeleloper, i can pretty much say that without going with a huge framework off the shell, but strictly custom build code, the changes are really zero to none that my websites are a succesfull target compared to these huge world wide traffic ranked websites.

Here's your problem. The ones who are responsible who create websites for these platforms, do not even fairly audit their code, do not even know what the hell they are doing sometimes. You might wonder why certain websites are being defaced or in this case, hacked and altered JS code, but it's simply due the fact that google is your biggest friend seeking vulnerable websites.

Websites these days are being clicked together rather then actually being custom work for the client. Yes clicking is far more easy, but here's where your culprit is. The unauditted code, the risk of being hacked, and the risk of infecting all your visitors with either malware or some bogus JS.

Now you got half the world going for an adblock, making revenue on a genuine website even more harder. I've used to crack websites in the past. These where usually your triple x websites where i'd create a login for you for 5$.

I've learned alot about defacing, hacking, cracking and all. This is simply hackers targetting big websites with a huge amount of traffic where these things would profit at maximum level. The fault is actually behind the people who build/maintain that website.

 

[moproblems99]

As a webdeleloper, i can pretty much say that without going with a huge framework off the shell, but strictly custom build code, the changes are really zero to none that my websites are a succesfull target compared to these huge world wide traffic ranked websites.

Do you use shared hosting?

 

[Jism]

Do you use shared hosting?

No. Shared hosting might be usefull if you just have a few "non-important" websites that don't require serious power, ram and other resources such as SSD storage and such. I have over 14 managed servers which server 2500 sites at this very moment. The load is less then 1% on every server. With managed i mean someone is taking care of them simular to updates, configurations and monitoring. My primary task is build websites.

I've used to start with shared hosting very long time ago but after a clusterfuck of fails i decided to take measures into own hands. The problem esp. with cheap hosting is that often issues like other users who mess up their website(s), IP's being blacklisted into RBL lists, google that does'nt trust your neighborhood that much, downtime(s) unannounced often or maintaince for no reason etc etc.

I've came a long way from working in hosting business as well. Both web & gaming servers basicly. My task was to maintain a half rack full of linux server(s) and one simple Windows machine. I just want to do what i do best and that is work on the technical things, not worry about updates, or grab for a manual when things go wrong.

That's what i pay people for.

 

[bug]

Yet another argument in favour of NoScript (or whatever comes after it).

 

[GenericAMDFan]

if you're using ad block plus or ublock origin you can block these web based miners by adding the "no coin" filter list: https://adblockplus.org/subscriptions#type_other

 

[R-T-B]

and next these same companies that mine will blather on and on about climate change BS...

That's an amazing level of conspiracy you got there...

 

[remixedcat]

no fo reals it's true.... mining uses a lot of power and thus, these ecocrats will try to use this to bait people

 

[TheGuruStud]

People still allow JS to run?

 

[Octopuss]

I still don't even understand the difference between Java and Javascript, so yes, apparently people do

 

[FordGT90Concept]

People still allow JS to run?

I wish I didn't but the internet today is utterly broken with out it.

 

[bug]

I wish I didn't but the internet today is utterly broken with out it.

Still, what I do is install NoScript (that by default only runs JS from the sites you actually visit and blocks everything else). Then I whitelist the most widespread CDNs, googleapis, jquery,

 

[R-T-B]

no fo reals it's true.... mining uses a lot of power and thus, these ecocrats will try to use this to bait people

You don't save the planet by consuming energy, and if you are an "ecocrat" believe it or not that's what most all of them believe they are trying to do (and frankly, I believe they are, but that's a different debate).. No one is trying to bait someone into investing into solar via mass energy consumption.

I'm dropping this here as I don't really understand the logic of that at all.

 

[Ruru]

if you're using ad block plus or ublock origin you can block these web based miners by adding the "no coin" filter list: https://adblockplus.org/subscriptions#type_other

Thanks, not giving toy money and paying more electricity.