Coinhive have been in the news a lot lately and we often hear about them when a site has suffered a cryptojacking attack. They are the easiest way to get crypto mining setup on your site and are intended for legitimate use only. As we know though, that's not always the case.
If you want a quick and easy way to setup crypto mining on your site, to use the CPU of your visitors to mine, then Coinhive is probably the best way to do that. The idea is that you include their script in your pages and whilst a visitor has the page open, a configurable amount of their CPU will be used to mine cyrpto currency, specifically Monero, or XMR. Their Terms of Service do of course restrict illegal use of Coinhive, like installing it on another site without permission (cryptojacking), but that isn't, and hasn't, stopped this from happening very frequently.
Cryptojacking is the process by which a website has a cryptominer installed on it without the consent of the owner. If I can inject a miner onto a very popular website, or a large number of websites, then all of the visitors to those website will be mining XMR for me. That means I can make some money with very little effort, winner! This is exacly what happened to almost 4,500 websites just a few weeks ago, a 3rd party script that they all loaded was altered to include the Coinhive cryptominer. I wrote a blog about the incident and it did gain international headlines due to the sheer number of government sites that were hit by the attack.
Not too long after that and another big company are running the coinhive cryptominer on their site after being hit by cryptojacking too.
They've just fixed the S3 bucket so it's relatively safe to tweet about this now. Up until a few moments ago, Sony were running coinhive on various domains. Cryptojacking strikes again! pic.twitter.com/jGgoaaPKDc— Scott Helme (@Scott_Helme) March 2, 2018
As much as Coinhive advertise that they are a legitimate service, they do get used an awful lot in cryptojacking attacks.
Why Coinhive for Cryptojacking
Whilst the Coinhive ToS don't allow you to do naughty things with their cryptominer, like cryptojacking thousands of sites, there are absolutely no technical measures, whatsoever, in place to stop you from doing so. It seems that Coinhive, who it should be noted take 30% off the top of all crypto currency mined, rely solely on the argument that people should not being doing this, and thus have no reponsibility themselves. Whilst I agree with the technicalities of what they're saying here, if they wanted to stop their product being abused, which they claim they do because it's malicious use is damaging their reputation, they could try to put some technical measures in place.
Coinhive have tried to portray themselves as the innocent party in many of these attacks and whilst they never condone the malicious use and always condemn the attackers, they never change. After the larger attack mentioned above that hit almost 4,500 sites, Coinhive released a statement that wasn't accurate or even true and later updated their stance.
A response from CoinHive on the cryptojacking attack that hit government sites over the last 36 hours. They claim that the 'attackers did not use [their] service'. pic.twitter.com/olnOs9OooF— Scott Helme (@Scott_Helme) February 12, 2018
Coinhive still maintain that they are a legitimate service and didn't see such hostile use happening (really), going so far as even complaining that their reputation couldn't be much worse right now. To help get themselves out of this hole they seem to be in, where every Anti-Virus programm and ad-blocker in the land seems to want to neutralise their legitimate service, I thought I'd look at a way they could solve the problem of malicious use of their service for them.
Steps towards ensuring legitimate use
For Coinhive to prove that they are indeed a legitimate service, it'd be great to see some technical measure put in place to stop their service being used by hackers in such trivial cyrptojacking attacks. I did put this to them once, but they were very quick to dismiss my suggestions.
Won't work. You could just validate your own domain, run the miner there and embed it in an iframe on random websites.— Coinhive (@coinhive_com) February 14, 2018
The method you can see outlined in my tweet to them is fairly simple and something that a site operator could complete with minimal effort. Essentially what we're looking to do is have a site prove that they want to run Coinhive and for Coinhive to check that's the case. Registering with the service isn't a particularly large burden, if you want to use the service, and is just a few small steps. Next, prove ownership of your domain which Coinhive can check with a simple DNS TXT record or by hosting a HTML challenge file. Lastly, when requests to load their library hit their servers, all Coinhive have to do is check that the site loading the script is one that is registered and verified. If the site is registered and verified then serve the miner, if not, you know the host doesn't consent and can return a 404 or whatever is appropriate.
As they point out in their response, there are ways that attackers could work around these measures, but the same can be said for any security measure. The point is not to make it impossible to pull off the attack, it's to make it too much hard work to be worthwhile. Registering a domain and finding a hosting solution both put a burden on the attacker in terms of the technical requirements but also financial. Having to buy a domain and hosting means providing payment information that one would assume they wouldn't want linking back to them easily. That means careful consideration if you want to avoid ending up on the wrong side of the law. The point is that it's no longer a simple copy/paste attack which will deter at least some of them. There's also additional checks like if the script is being loaded inside a framed document that the library could carry out.
All said and done, Coinhive could put measures in place if they wanted to. I don't think you get to complain about harm done to your reputation and take no steps to resolve the problem at the same time, you can't have it both ways!
For site operators that want to protect against these kinds of attacks there's my blog that I published at the time of the big government cryptojacking attack, Protect your site from Cryptojacking with CSP + SRI, which details how you can take pretty robust steps towards stopping this happening to you. One thing that I said at the time, that I will re-iterate now, is that things could have been a lot worse. Attackers had script execution in government websites and we're really lucky they didn't epxloit to its full potential, instead only doing a tiny fraction of what they could have done. I spoke to the BBC about the things that could have happened and even did a small demo, check out the episode of BBC Click here on the iPlayer for those in the UK or below on YouTube for everyone else.