Showtime Won't Explain Why Its Website Was Hijacking User Browsers To Covertly Mine Cryptocurrency

from the whoops-a-daisy dept

Showtime's websites recently began covertly hijacking user browsers to mine cryptocurrency, and neither Showtime nor its parent company CBS appear interested in explaining how or why it happened. The code in question -- a bit of JavaScript dubbed Coinhive, was embedded in two different Showtime domains: Showtime.com and Showtimeanytime.com. When a visitor visited these domains, their browser was hijacked and their computer was forced to help mine Monero, a new privacy-centric alternative to bitcoin currently valued at around $92 each.

The mining software was first noticed by a Twitter user who discovered the Coinhive miner buried early on in the source code:

Users weren't alerted that this was happening, and visitors reportedly found the mining software utilized up to 80% of a visiting user's CPU cycles. Such miners can also notably drain battery life for visitors on mobile devices. And as of this writing, Showtime has been completely unwilling to confirm that this occurred, much less explain how the code appeared. The company has refused to respond to numerous requests for comment from a myriad of websites, Techdirt included. The code appeared in the evening of September 23, and had disappeared by the next Monday morning.

It seems relatively unlikely that executives or developers at Showtime thought it would be a good idea to hijack the browsers of potential customers to mine cryptocurrency, leading many to believe that Showtime's servers were likely hacked by somebody looking to covertly make a little extra money:

"The JavaScript, which appeared on the sites at the start of the weekend and vanished by Monday, sits between HTML comment tags that appear to be an insert from web analytics biz New Relic. Again, it is unlikely that an analytics company would deliberately stash coin-mining scripts onto its customers' pages, so the code must have come from another source – or was injected by miscreants who had compromised Showtime's systems."

That said, it's not impossible that Showtime was running an experiment. Cryptocurrency miners have been making headlines in recent weeks after The Pirate Bay was caught also covertly using Coinhive to hijack visitor browsers to make extra bank. Coinhive only just launched September 14, advertising itself as a creative alternative to the traditional advertising model. But after users over at the Pirate Bay subreddit discovered the practice and began to complain, the website was forced to pull the software from its code and issued a relatively flimsy mea culpa:

"As you may have noticed we are testing a Monero javascript miner. This is only a test. We really want to get rid of all the ads. But we also need enough money to keep the site running."

Except covertly hijacking a browser with glorified malware obviously isn't a great way of "keeping a site running," especially if websites running to embrace Coinhive refuse to let users opt out -- much less inform them this is even happening. Not surprisingly, the recent rise in such stealth cryptocurrency miners has resulted in Adblock Plus moving to help block such hijacks. Malwarebytes analyst Jérôme Segura warns in a blog post that some websites appear unsurprisingly intent on "pushing the limits towards a really bad user experience":

"Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience. The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice."

Again, there are creative alternatives to advertising, and then there's just being an asshole. Hijacking a visitor's browser, CPU and electricity to mine cryptocurrency without informing them -- or letting them opt out -- sits firmly in the latter category.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: coinhive, hijacking, javascript, monero, showtime

Companies: cbs, showtime