Browser-based cryptocurrency mining. Here we will see what browser-based cryptocurrency mining is, how these kind of miners work and how to easily set one up using the coinhive JavaScript-based framework. We will also explore the nature of these family of miners and under what circumstances they should be considered legitimate or malicious; which mostly depends on whether or not the user has provided consent.
What happens when these miners run?
Most likely you’ll see something like the shown in the next video, where the CPU usage sky rockets as soon as the miner starts and goes back to normal when it stops. More on how this works on the article below.
As you can see, as soon as we hit the “Start Mining” button, the CPU usage for the browser (Chrome) goes to the sky, hitting around 160% in some cases.
What are browser-based crypto miners?
Browser-based crypto miners are not new, they have been around for a while, and it dates back to 2011 when the bitcoinplus.com service was launched. These miners came out just a few years after the Bitcoin white paper was published in 2008, under the “Satoshi Nakamoto” pseudonym; which gave us the revolutionary concept of blockchain and described how to create a peer-to-peer electronic cash system (the paper can be found here).
Browser-based crypto miners are not new, but they exploded by the end of 2017.
During the rise of these miners, Bitcoin was the reigning cryptocurrency and they were designed to mine this coin, however, mainly due to the rise of ASIC mining, they didn’t thrive. Browser-based crypto miners made a come back by the end 2017, mostly because of two reasons:
- The big hype created around cryptocurrencies at that time.
- The rise of JavaScript miners like coinhive.
How does it work?
In short, browser-based crypto miners work by running client site code (i.e.: JavaScript) on the user’s browser, this code creates a miner that executes cryptographic calculations which, in turn, requires a lot of CPU processing.
Like most technology out there, browser-based crypto mining should not immediately be considered malicious, there are some cases in which the user is made aware of what would happen if they visit a page, and they take the conscious decision on doing that. One example of this is, if the site’s owner wants to setup a kind of donation program, in which users accepts to give CPU processing as donation.
Browser-based crypto miners are not necessarily a bad idea, or evil. It depends on how we use it and whether or not the user has provided consent.
The problem is, therefore, how are we using the technology. Attackers are embedding this JavaScript mining code into legitimate programs, browser plugins, into infected websites or by simply running it without the user’s consent.
Signing up at coinhive.com
In this case we will be using coinhive.com and you need to sign up on their site, this will give you a public/private key and access to a dashboard, where you can keep track of how much cryptocurrency has been mined.
Your key information can be found under Settings > Sites & API Keys:
And the dashboard looks something like this:
Setting up a miner
Setting up a browser-based crypto miner with coinhive is fairly easy. With our public key and dashboard, we have to first decide what kind of implementation we want to do (since the miner can be integrated in several different ways), this is clearly explained on their docume.ntation page.
In this case we will be using the Simple Miner UI, which is the easiest way to set the miner up. There you will see that all you need to do is to embed a minify JavaScript into your website (see the risk note below for more on why this is risky) and provide a few parameters, including the public site key (data-key), which we obtained in the previous step.
Risk Note: Do note that this way of setting up the miner makes you include JavaScript code from a third party, which can put your website at risk. Above we used a lab environment and thus there is not much risk, if you decide to include this kind of JavaScript in your site, I’d recommend to download the sources, check the source code to make sure no “monkey business” is going on and upload/reference them to/from your site.
What am I including?
If you access the JavaScript code directly on a browser, you’ll see it is minified and that the code looks like one single blob, simply copy this code and use an unminifying service like unminify.com, paste the code there, hit the unminify button and you’ll get an easy to read version of the code.
You’ll notice some configuration regarding libraries, web socket proxies and other services like captcha. You will also see some code related to cookies and auth, I didn’t went deep into the code, but found an interesting part on line 190, where the miner code is:
Risk Note: Do note that you are NOT only including the javascript file, since it includes other files itself. If you want to check everything that’s included, route the browser traffic through a proxy (i.e.: burpsuite) and check exactly what’s included.
What happens when I run it?
In this case I had setup a laptop workstation (since I wanted to see the impact on a real CPU, not a virtualized one, you could also use a VM here though) with apache2 as a web server, I included the JavaScript code (the one pointing at the minified JavaScript) into a web page and provided my public site key as parameter, I also added some extra configuration and text of my own.
That’s pretty much it, but, what would actually happen when a user browse to the page containing the miner’s code? The first and most notable thing is that the CPU usage will go very high, you could probably also hear your CPS’s fan speeding up within a while and this means that you are mining cryptocurrency for the site.
If your CPU usage rockets up when browsing a website, you might be a victim of browser-based cryptocurrency mining.
Now, if you go back to your coinhive’s dashboard, you’ll see some numbers moving up:
Should it be considered bad?
I’d say, it depends! To me, the crucial part is whether or not you are getting consent from the user. Letting the user know in advance that if he or she, takes a conscious action (i.e.: clicking a button), they are basically providing permission to run your miner on their browser.
I don’t see anything wrong with that, in fact, it can be used in situations where the user wants to easily reward the owner of the site (emphasis on simple, but do note that simple here does not equal efficiency in terms of energy/electricity, that’s a different matter). For instance, a donation page (similar to the one in the video above) or some sort of rewarding system would be good candidates for this approach.
Conclusion
Implementing a browser-based cryptocurrency miner is way simpler than one might think.
One of the first things you would notice when a miner of this kind is running in your browser, is that the CPU usage rockets up and your CPU’s fan might even speed up noticeably.
Because of it simple usage and anonymity (through the underlying blockchain), this technology is easily abused by attackers targeting the user’s CPU power. Attackers are also taking advantage of this technology by embedding miners into other software, like browser plugins.
Recent Comments