What the heck? A Twitter post appeared on Saturday, September 23, accusing Showtime of silently using the CPUs of visitor PCs accessing at least two of its websites in order to generate a digital currency called Monero. Security firm Bleeping Computer followed up with an investigation to discover that the sites were running a script in the background to silently generate virtual coins by accessing the connected PC’s processor through a web browser.
Typically, miners generate virtual coins using dedicated machines. If you ask the PC gaming community, these miners are eating up all low-cost, high-performance graphics cards, leaving the market dry and available units highly overpriced. These machines not only generate digital coins, but they help maintain the base ecosystem, such as processing transactions and keeping track of purchases.
But silently using the processor of visitor PCs accessing a website is new. The script used by Showtime is a JavaScript kit called Coinhive, which sat undetected on Showtime’s secondary website, and its online streaming service, Showtime Anytime. Showtime removed the script once the report went live.
The use of Coinhive by a mainstream service is a bit of a mystery. There is speculation that hackers may have gained access to Showtime’s websites and inserted the script to take advantage of unsuspecting visitors. There’s also speculation that Showtime was experimenting with the script, as a specific command in the code kept Coinhive dormant 97 percent of the time. If the script were placed by a hacker, it would generate virtual coins at full speed.
Unfortunately, there’s a good chance Showtime used the script on purpose. The Pirate Bay did something similar two weeks ago using the same Coinhive script, although the site didn’t silently sip unused CPU resources. Instead, The Pirate Bay wanted feedback from its visitors, who didn’t like the idea of a website silently accessing their system resources in the background.
The use of Coinhive presents several problems. For starters, Sites using the script are intentionally slowing down your PC to generate virtual coins as something of a payment for accessing their services. Even more, Coinhive is already becoming a tool used for ill intent, such as running on “typosquatted domains” — those often malicious websites you visit when typing the wrong web address — and appearing in Chrome browser extensions.
But that is only the chilling tip of the iceberg. Hackers have flocked to Coinhive and are reportedly breaking into websites to install the kit and silently generate virtual money. Coinhive is also making its way into advertisements that lead not only to sites that seize the browser with fake security alerts, but generate virtual coins in the background while the user tries to regain control.
Ultimately, your PC is your property and no one has the right to use your hardware to create virtual money without permission. The Pirate Bay’s experiment alone could have generated at least $12,000 in Monero per month you will never see.
Parent company CBS Corporation declined to provide a comment.