Showtime Won't Explain Why Its Website Was Hijacking User Browsers To Covertly Mine Cryptocurrency

from the whoops-a-daisy dept

Showtime's websites recently began covertly hijacking user browsers to mine cryptocurrency, and neither Showtime nor its parent company CBS appear interested in explaining how or why it happened. The code in question -- a bit of JavaScript dubbed Coinhive, was embedded in two different Showtime domains: Showtime.com and Showtimeanytime.com. When a visitor visited these domains, their browser was hijacked and their computer was forced to help mine Monero, a new privacy-centric alternative to bitcoin currently valued at around $92 each.

The mining software was first noticed by a Twitter user who discovered the Coinhive miner buried early on in the source code:

Users weren't alerted that this was happening, and visitors reportedly found the mining software utilized up to 80% of a visiting user's CPU cycles. Such miners can also notably drain battery life for visitors on mobile devices. And as of this writing, Showtime has been completely unwilling to confirm that this occurred, much less explain how the code appeared. The company has refused to respond to numerous requests for comment from a myriad of websites, Techdirt included. The code appeared in the evening of September 23, and had disappeared by the next Monday morning.

It seems relatively unlikely that executives or developers at Showtime thought it would be a good idea to hijack the browsers of potential customers to mine cryptocurrency, leading many to believe that Showtime's servers were likely hacked by somebody looking to covertly make a little extra money:

"The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems."

That said, it's not impossible that Showtime was running an experiment. Cryptocurrency miners have been making headlines in recent weeks after The Pirate Bay was caught also covertly using Coinhive to hijack visitor browsers to make extra bank. Coinhive only just launched September 14, advertising itself as a creative alternative to the traditional advertising model. But after users over at the Pirate Bay subreddit discovered the practice and began to complain, the website was forced to pull the software from its code and issued a relatively flimsy mea culpa:

"As you may have noticed we are testing a Monero javascript miner. This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running."

Except covertly hijacking a browser with glorified malware obviously isn't a great way of "keeping a site running," especially if websites running to embrace Coinhive refuse to let users opt out -- much less inform them this is even happening. Not surprisingly, the recent rise in such stealth cryptocurrency miners has resulted in Adblock Plus moving to help block such hijacks. Malwarebytes analyst Jérôme Segura warns in a blog post that some websites appear unsurprisingly intent on "pushing the limits towards a really bad user experience":

"Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience. The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice."

Again, there are creative alternatives to advertising, and then there's just being an asshole. Hijacking a visitor's browser, CPU and electricity to mine cryptocurrency without informing them -- or letting them opt out -- sits firmly in the latter category.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: coinhive, hijacking, javascript, monero, showtime
Companies: cbs, showtime


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Machin Shin, 29 Sep 2017 @ 6:50am

    Interesting idea though

    Sadly the bad actors are going to kill all chances of it working, but does make me wonder.

    What if you ran a site and just had clean banner at the top politely asking people to please run the miner to support you? It could actually be a good alternative to ads... So long as it is done clearly upfront and Opt-in only.

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 29 Sep 2017 @ 6:53am

    Re: Interesting idea though

    Agree, but it is a sure sign of how these assholes operate.

    It is is not shady, spying, controlling, or domineering... they are not interested!

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 29 Sep 2017 @ 7:00am

    Re: Interesting idea though

    Hey guys, you could do this. I'd spend electricity on you.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 29 Sep 2017 @ 7:05am

    Re: Interesting idea though

    That is an interesting idea. Can these miners limit the amount of CPU usage they use? Or let the user determine how much of the CPU is used?

    I'd like to see the math on that and compare it to ad revenue. Would it be more? Less? Equal to?

    I loath ads with every fiber of my being. But I would definitely volunteer some CPU time during my visits.

    link to this | view in thread ]

  5. icon
    Chris ODonnell (profile), 29 Sep 2017 @ 7:07am

    Hey Mike Masnick - are you still living with javascript disabled in your browsers? Wondering if that is even possible is today's .js driven web world. Because more and more javascript seems like a security weaknesses.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 29 Sep 2017 @ 7:22am

    Re: Re: Interesting idea though

    I'd gladly let them coopt my CPU for cryptocurrency mining if it meant I didn't have to watch commercials.

    But they'd have to inform me upfront, provide an alternative, and the experience has to be positive (none of this buffering and dropping connections crap).

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 29 Sep 2017 @ 7:37am

    I'd love to see the disclaimer for this in the future...

    "This website uses embedded crypto-currency mining software the borrows from your computer's processing power. Please be aware that by visiting this website you agree to help us generate swaths of grey market currency while driving up your energy consumption, reducing the responsiveness of all your other programs, and possibly hurting your net bandwidth usage.

    Also something something tracking cookies

    [[I Accept]]"

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 29 Sep 2017 @ 7:37am

    Re:

    I'm not Mike Masnick, but I've blocked Javascript in my browsers for many years now -- only allowing it permanently from a few dozen sites, only allowing it temporarily on a limited basis. Yes, this sometimes breaks things, and yes, there are a lot of sites that pull Javascript from WAY too many sources (Techdirt appears to be using 16) but rampant abuse has made it necessary -- just as it's become necessary to block all advertising.

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 29 Sep 2017 @ 7:39am

    What if this was done to a user....

    ....who is operating in a legal jurisdiction that has banned cryptocurrencies? (In other words, what if forcing this on a user caused them to commit a crime?)

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:08am

    Re: Re:

    Seconded

    JS is a well known vector for malware, many times embedded in ads.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:10am

    Sounds like theft of service to me, wonder if the DA or whomever is interested in prosecuting these scumbuckets.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:18am

    Re: Re: Interesting idea though

    It'd be interesting to have a revenue scheme that involved letting a miner generate credit. Run our particular miner for X amount of time and pick a season to view. It definitely blurs the lines of currency, but I think it would be an interesting proposition.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:27am

    Re:

    I think i've seen Mike link to sites that don't work without JS. He must have it enabled. But I don't and Techdirt still works. Lots of sites haven't tested obviously--sometimes the pages are just blank or "links" don't work, sometimes you get an "enable javascript" message (don't--it only encourages them).

    link to this | view in thread ]

  14. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:41am

    Even more the reason to just torrent the latest Star Trek and anything else made by CBS.

    If they're going to abuse technology to steal from us, what's wrong with us doing it to them?

    link to this | view in thread ]

  15. identicon
    Machin Shin, 29 Sep 2017 @ 8:51am

    Re:

    I just keep thinking, if I pirate Star Trek does that make me a space pirate? I'm just going to pretend it does because it is awesome and go watch me some Star Trek.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:52am

    The real question is why are you letting these sites run proprietary scripts on your computer?

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:55am

    Re: Re: Re:

    ditto 3rd

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 29 Sep 2017 @ 8:58am

    Re: Interesting idea though

    link to this | view in thread ]

  19. identicon
    Anonymous Coward, 29 Sep 2017 @ 9:00am

    Re: Re:

    "-sometimes the pages are just blank"

    If you're using Firefox, oftentimes you can click the book icon next to the URL bar and magically the words appear.

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 29 Sep 2017 @ 9:02am

    Re: What if this was done to a user....

    Has there been anywhere that has banned mining it? I only know places that have banned using it.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 29 Sep 2017 @ 9:15am

    I have traced back a lot of this type of activity to ads on web pages that are served by ad networks. A telephone company in India would setoff botnet alerts on our network whenever anyone of our employees went there. The alerts were for the browser trying to reach coinbase servers once the ad loaded up and started the mining process.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 29 Sep 2017 @ 9:25am

    Re: Re: Interesting idea though

    Rightly so, same should be done to showtime, but the problem is that tidbit is in the wrong class of humans.

    Any website that runs code that performs work to consume resources at the expense of the consumer, especially without any notice/permission, is against the CFAA.

    As a user I expect to pay for the electricity and my costs to connect to the infrastructure and to consume bandwidth to display/interact with the services that a website is offering. The moment they start consuming any of my resources to make them money without first obtaining explicit permission then they are criminally liable for every watt my CPU consumes crunching their code!

    I am okay with this replacing ads, but only as long as I am notified that my machine is now being used like this and given a choice to participate or not!

    It should be illegal for a website to require someone to allow their computer to become a botnet, even it temporary, to consume a website!

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 29 Sep 2017 @ 9:48am

    I actually think it is a great idea. But definitely has to be permission based. Start them on a regular add full experience and then offer the add free version for 20% of your CPU/GPU.

    link to this | view in thread ]

  24. icon
    PlagueSD (profile), 29 Sep 2017 @ 10:19am

    Oh look...Another good use for the NoScript browser Addon. Also, a good reason to NEVER leave a browser open on your computer. You have no idea what's running "Behind the scenes".

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 29 Sep 2017 @ 10:31am

    Re: Re: Re: Interesting idea though

    Any website that runs code that performs work to consume resources at the expense of the consumer, especially without any notice/permission, is against the CFAA.

    This has the makings of a very entertaining slippery slope. Suppose a website could lay out its content properly, as a static page on the server, which is then sent verbatim to clients; or they could indulge their JavaScript addiction and make the client do all the work laying out the page. The latter will be slightly more CPU efficient for the server (although globally much less efficient since each client would perform the work independently, rather than asking the server to do it once), thus saving them money by requiring the client to perform extra work to use the page. Frequently, such client-side rendered pages are at best equivalent, and usually far worse, user experience than doing it properly on the server (hence satisfying your "at the expense of the consumer"). Would that rise to a CFAA claim under your standard? It feels like it shouldn't, but it'd be greatly entertaining if it did, because then most Javascript addicted sites could be chased for CFAA. :D

    link to this | view in thread ]

  26. identicon
    Yes, I know I'm commenting anonymously, 29 Sep 2017 @ 10:42am

    Get used to it

    Tim Berners Lee recently enabled corporations to to this without you being allowed to find out..
    It is called EME in combination with DMCA 1201. See https://boingboing.net/2017/09/18/antifeatures-for-all.html

    Once the corporate overlords understand the process it will be everywhere.
    Maybe then there will be some political pushback.

    link to this | view in thread ]

  27. icon
    Designerfx (profile), 29 Sep 2017 @ 10:49am

    Re: Interesting idea though

    No.

    "We've turned this on guys, please do it" is no less acceptable than "...."

    That's a "please help us fix business model problems and oh give us more $$"

    link to this | view in thread ]

  28. identicon
    TripMN, 29 Sep 2017 @ 10:52am

    Re: Re: Re: Re: Interesting idea though

    All modern web frameworks that work as single page apps (Ember, React, Angular) do just what is being talked about. They render the HTML once, and then only send JSON data blocks back from the server and the browser/JS does the unpacking and processing and re-rendering.

    If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.

    BTW, "asking the server to do it once" is mostly incorrect except on the simplest web pages because injecting any amount of personalization into a page requires the server to render the page for each user.

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 29 Sep 2017 @ 11:49am

    Re: Re: Re: Re: Re: Interesting idea though

    Your points are valid wrt any actions initiated by the user ... however it appears that the article is discussing other non user initiated activity performed upon user's machine without their knowledge/consent.

    What would happen if the unnecessary activity initiated by the website visited by a user who is not aware of said activity ... were to be found illegal? Who is responsible? How does said user defend against this?

    link to this | view in thread ]

  30. identicon
    Anonymous Coward, 29 Sep 2017 @ 11:54am

    Re: Re: Re: Re: Re: Interesting idea though

    "If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation."

    Remember, CFAA explicitly states that any usage of a computer that gains access without authorization or attempts to perform a task that exceeds current authorization is abuse.

    A website running code to perform its function for serving up content is legit for the obvious reasons. However, the point where the code is now executing something that is "not useful" to that purpose means they exceeded authorization.

    Just visiting a page is NOT authorization to just run any code on the visiting machine.

    I think the problem here is that once again, we allow companies too much latitude in what they do, just throwing the doors wide open until the abuse is TOO obvious to the point where pretzel logic cannot defend it. This is what created the problem of IoT vulnerability.

    Imagine if a store asked all of its customers to process a mathematical equation when they enter the door or face getting kicked out. The more we allow this to continue, the more slippery that slope gets.

    link to this | view in thread ]

  31. identicon
    Anonymous Coward, 29 Sep 2017 @ 12:18pm

    Re: Re: Re: Re: Re: Interesting idea though

    All modern web frameworks that work as single page apps (Ember, React, Angular) do just what is being talked about. They render the HTML once, and then only send JSON data blocks back from the server and the browser/JS does the unpacking and processing and re-rendering.

    Actually, my experience has been that they render the HTML exactly zero times, then send a blob of Javascript to the client to construct the page. That's what causes them to be so utterly broken for users who wisely block Javascript. If they did it right, the Javascript would be a progressive enhancement on top of an already usable page. Most sites instead do it dead wrong and make the page totally unusable unless you pull in untrusted scripts from half a dozen different servers.

    Personally, I never authorize any site I visit to run Javascript on my computer. Under the frequently twisted interpretation of the CFAA, since I don't want it to happen, and yet it happens, it must be a CFAA violation. ;)

    If this is a CFAA violation (which I highly doubt), then a large percentage (probably 70+% of companies) are in violation.

    I know. I can dream though.

    BTW, "asking the server to do it once" is mostly incorrect except on the simplest web pages because injecting any amount of personalization into a page requires the server to render the page for each user.

    Sure, personalization requires customization. That's obvious. But how often are personalized pages actually necessary when viewing content that is functionally identical across all users (e.g. listing of current news or thread titles in a forum)? There are way too many sites that have decided that everything that could possibly be personalized must be, whether or not it makes any sense.

    link to this | view in thread ]

  32. icon
    ShadowNinja (profile), 29 Sep 2017 @ 1:12pm

    Re: Interesting idea though

    ...I don't know about you, but I keep literally 10+ tabs open at a time.

    What would happen if all 10 of those sites tried to make my computer mine crypto-currency for them?

    Even the best computers would probably choke and crash under that onslaught.

    Or the computer's anti-virus would start alerting the user like crazy that someone's trying to inject malware on your computer.

    link to this | view in thread ]

  33. icon
    ShadowNinja (profile), 29 Sep 2017 @ 1:14pm

    Re: Re: What if this was done to a user....

    Well isn't banning the use of it kind of banning the mining of it by default?

    If you're mining it obviously you intend on 'using' it in some way when you sell it/spend it later.

    link to this | view in thread ]

  34. icon
    MyNameHere (profile), 29 Sep 2017 @ 1:38pm

    All along you are saying "the legacy industry should learn from piracy". Now they do, and you are upset.

    Who started this issue recently? The Pirate Bay. Didn't read any outraged comments then, even when they were running a miner that would knock your cpu usage to 100%.

    Ahh, the double standards!

    link to this | view in thread ]

  35. identicon
    Anonymous Coward, 29 Sep 2017 @ 1:39pm

    Let me make a little prediction that someone is going to hang by their testicles for this.

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 29 Sep 2017 @ 1:51pm

    Re: Re: Re: Interesting idea though

    It IS.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 29 Sep 2017 @ 3:09pm

    Re: Re: Re:

    Yeah, turning off stylesheets works too sometimes. (View / Page Style / No Style) I still don't know why anyone would set their page to be invisible by default.

    link to this | view in thread ]

  38. icon
    That One Guy (profile), 29 Sep 2017 @ 3:09pm

    Re:

    All along you are saying "the legacy industry should learn from piracy". Now they do, and you are upset.

    A statement as stupid as 'You were complaining that the restaurant didn't have good food, and now that they've taken to adding a $20 charge to the bill because screw you you're upset?'

    Or how about 'People were complaining that movies were too expensive, and now that they've decided to just download them for free you're upset', would you accept that as valid?

    Assuming it was done by the ones running the site itself(possible, and their refusal to explain anything certainly isn't helping) then 'Ads aren't bringing in as much, let's hijack our visitor's system resources' is not a valid response, whereas being upset about a site serving up malware most certainly is.

    Whether or not The Pirate Bay did something similar is besides the point, it wasn't acceptable then, and it's not acceptable now, so once again your attempt at a 'Gotcha' falls flat.

    link to this | view in thread ]

  39. icon
    Eldakka (profile), 30 Sep 2017 @ 10:49pm

    Re: Re: Re: Re:

    ditto.

    Been using javascript blocking for years. In the early days I'd have JS disabled entirely in the browser, then used addons that added a button to disable/enable it, then later ones that allowed per-site, then still later the more advanced ones like noscript, policeman, umatrix, and so on that allow blocking not just on the site, but subdomains, cross-site, and so on.

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 1 Oct 2017 @ 4:54am

    Because they can. That's why corruption, spying, etc. exists in the first place.

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 1 Oct 2017 @ 8:12am

    Re: Get used to it

    Should I keep copies of old browsers?

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 1 Oct 2017 @ 8:12pm

    Re:

    But the DRM that fucks over your computer from the CD you purchased legally is somehow hunky-dory to you...

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.