This entry was posted in Research on November 8, 2017 by Mark Maunder 30 Replies

The WordPress plugin repository recently removed a plugin known as “Animated Weather Widget by weatherfor.us.” We dug a little deeper, and it appears that the plugin was removed for including JavaScript code that would mine cryptocurrency using the CPU resources of site visitors.

It works as follows:

A WordPress site owner installs the “Animated Weather” plugin.

The plugin loads an iframe. This allows the owner to include any code they want in visitors’ browsers, and to change the code at any time.

The iframe loads code from CoinHive that mines the Monero cryptocurrency. The mining activity uses significant site visitor CPU resources.

Earnings are sent back to CoinHive and aggregated into the account owner’s bank account. Presumably, the account owner in this case is the owner of the “Animated weather” plugin. CoinHive keep 30% of the profits.

This allows the plugin owner to earn money by using the CPU resources of visitors to sites using the “Animated weather” plugin.

The following is a screen capture from a debugger showing an iframe that loads from the www.weatherfor.us domain. In this, we show the JavaScript that loads the CoinHive code that actually does the mining.

While researching this post, we found that visiting a site that includes this plugin’s CoinHive Monero mining code generates a huge amount of CPU usage. This becomes audible when your CPU fans all increase their RPMs. I’ve included a short cellphone video below to show the effect.

Two months ago, the Showtime websites showtime.com and showtimeanytime.com were found mining cryptocurrency. It is still unclear whether they were hacked, or if they placed the code there voluntarily. Other websites like The Pirate Bay have added the CoinHive Monero mining code to try to earn additional revenue. Earlier this month, CoinHive mining code was discovered on the UFC website UFC.tv. It is unclear whether they were hacked or if they placed the code on the site themselves.

I reached out to the WordPress.org plugin repository maintainers, and Otto had this to say regarding this plugin:

<start quote>

“Yes, the plugin was removed because the site it connected to, weatherfor.us, started putting hidden mining code in their widgets. The plugin itself was not altered in any way, it was the site which it gets the widget from that had this code added. Currently, we treat hidden insertion of any undisclosed code as potentially malicious, and crypto-mining is not an exception to this general principle. If a plugin that is unrelated to such activities is modified to include that code, then we will remove the plugin and potentially remove the offending code ourselves, to protect users. In the same way that plugins are not allowed to, say, insert hidden advertising on sites in a way that benefits the plugin author, plugins are not allowed to insert hidden code in a way that benefits the plugin author. Which is to say that plugins are not allowed to include any form of crypto-mining code which pays back to the plugin author. That said, a plugin that is explicitly intended for a site admin to include a crypto-miner on their site is allowed, and there’s a few of them in the directory already. The important difference is that these are not hidden, and do not pay the plugin author. The site owner is the one operating the miner, not a plugin author doing it on their behalf.”

</end quote>

What has become clear to me during the past two years is that WordPress plugin authors experiment with a wide range of business models. This leads to plugin authors embedding code that may produce spam on websites, selling their plugins to shady individuals, and in this case, using web browser resources to earn income.

Perhaps if we provided clear guidance and mentoring within the community for plugin authors on how to earn a living from their plugins, this issue would not be as prevalent. I can’t help but think of the Apple App Store and similar models, where a clear business model with clear guidance has created a healthy ecosystem and funding to root out bad actors.

Have you experimented with putting CoinHive mining code on your site? Or have you visited a site that was mining? What was your experience? I’d also like to learn more about our community’s views on plugin business models. I’ll be around to read and reply to your comments.

~Mark Maunder – Wordfence Founder & CEO