1. Home
  2. Forums Index
  3. Local / Foo 5:07 pm May 5, 2026

Forum Moderators: open

Message Too Old, No Replies

Hi Hack Ho Mining We Will Go

Cryptojacking and Content Security FTW

         

iamlost

4:01 pm on Apr 1, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



A non-fools? April 1st read courtesy of Troy Hunt (web security consultant/evangelist, founder of Have I Been Pwned):
I Now Own the Coinhive Domain. Here's How I'm Fighting Cryptojacking and Doing Good Things with Content Security Policies. [troyhunt.com]
Yes, it’s long but it’s fascinating...


That's a substantial number of requests; peaking at 3.63M in a day for a service that doesn't even exist anymore. But the number that really impressed me (if "impressed" is the right word here...) was the number of unique visitors per day:

Daaaamn! More than 2 years after Coinhive was gone and the miner is still embedded in enough places to be serving more than 100k unique visitors per day.


... let's just let that sink in for a moment: I can now run whatever JavaScript I want on a huge number of websites. So, what could I do with JavaScript? I could change where forms post to, add a key logger, modify the DOM, make external requests, redirect to a malicious file and all sorts of other very nasty things. That's the power you hand over when you embed someone else's JS in your own site and that's precisely why we have subresource integrity.


Note: Content Security Policy (CSP) [developer.mozilla.org]

NickMNS

4:39 pm on Apr 1, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Great article, this is a must read, not in regards to cryptojacking but for better understanding website security.

lammert

7:22 pm on Apr 1, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Very interesting read about how a simple JavaScript include can cause so much havoc. Troy assumes that part of the current requests to the coinhive site are not caused by websites running the old scripts, but by JavaScript injections by infected routers. For all those webmasters who haven't converted to https yet:
Securing the transport layer isn't just about protecting sensitive information, it's also about protecting the integrity of the content and assuming Hugo is right here, this is a beautiful demonstration of the necessity of HTTPS everywhere.

not2easy

2:23 pm on Apr 2, 2021 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



It is a fascinating read. It makes a point I try to get across about installing WP plugins without investigating them closely. They have been known to be sold to third parties with a different agenda. How many keys to your core files do you really need floating around?

lammert

2:36 pm on Apr 2, 2021 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



Good point not2easy. I own a few projects on github which have 100+ forks and thousands of world-wide installations. For that same reason you mentioned I deny all pull-requests in which the changes are above trivial fixes which can be fully manually verified. Existing popular trusted packages are an easy vehicle for people with malicious intent.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Local / Foo 5:07 pm May 5, 2026