Official websites across many countries, including the U.S., the U.K., and Australia, were unwittingly drawn into a cryptocurrency-mining scheme that quietly hijacked the computers of people who visited those sites.
The affected websites included those for the United States Courts, the U.K.’s National Health Service (NHS) and Information Commissioner’s Office (the British privacy regulator), and the Australian state governments for Victoria and Queensland. And the culprit seems to have been a service, used by all these sites, for helping people read language they cannot normally understand.
Cryptocurrencies such as Bitcoin are “mined” by computers that race one another to solve complex mathematical problems—whoever has the computing power to beat the others gets the coin.
This has led to a phenomenon known as cryptojacking, where people’s computers are hijacked to contribute to the attacker’s cryptocurrency mining operation, without their knowledge. This can be achieved through the silent downloading of malware, through dodgy browser extensions and even through hidden code on websites.
That last tactic is what happened here. As security consultant Scott Helme first noted on Sunday, sites using Texthelp’s Browsealoud plugin were leeching off the computing power of those visiting the sites, in order to mine cryptocurrency. The plugin is an accessibility service that adds speech and translation capabilities to websites, in order to help visitors who might be dyslexic or for whom English might be a second language.
According to The Register, the code in question was for Coinhive’s notorious Monero miner.
Texthelp responded by taking the plugin offline until Tuesday. The British company said the exploit, which it described as a “criminal act,” had been active for four hours on Sunday.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline,” claimed chief technology officer Martin McKay. “This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.”