jQuery Blog Gets Hacked – Hackers Compromise CoinHive’s DNS

In two different incidents, security of high profile platforms was compromised. These platforms include jQuery and CoinHive.

jQuery

Earlier today, two hackers going by the online handle of “n3tr1x” and “str0ng” hacked and defaced the official blog (blog.jquery.com) of jQuery. The JavaScript library platform was using WordPress content management system (CMS) for its blog and looking at the defacement screenshot it can be seen that hackers compromised editor account of Leah Silber who happened to be a core team member at jQuery.

According to The Hacker News, there is no evidence whether the server (code.jquery.com) that host jQuery file was also compromised. Remember, although WordPress is used by millions of website the platform is also known for critical zero-day security flaws.

Therefore, it is quite possible if hackers didn’t hack Silber’s account and might have exploited some security flaw in WordPress that is unknown to its developers. Here’s a screenshot of the deface page taken before jQuery deleted the blog post published by hackers:

At the time of publishing this article; the article post published by hackers was removed.

CoinHive hack

CoinHive is a firm that provides cryptocurrency miner written in Javascript, which sends any coins mined by the browser to the owner of the website. CoinHive was in the news last month when The Pirate Bay (TPB) was caught using its visitor’s CPU to generate Monero cryptocurrency.

TPB was using cryptocurrency mining code provided by CoinHive, which is neither a virus nor a trojan but security community consider it unethical to be used without informing site visitors. However, with its growing popularity, it became a prime target of hackers on 23rd Oct when CoinHive’s DNS was hijacked to mine cryptocurrency on thousands of websites.

According to reports, the unknown hacker was able to compromise CloudFlare account for CoinHive allowing them to modify its DNS servers and replace Coinhive’s official JavaScript code on thousands of website with a malicious one.

CoinHive also acknowledged the hack and wrote a blog post explaining that “Tonight, Oct. 23th at around 22:00 GMT our account for our DNS provider (Cloudflare) has been accessed by an attacker. The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server.”

“This third-party server hosted a modified version of the JavaScript file with a hardcoded site key. This essentially let the attacker “steal” hashes from our users.”

Culprit: The leaked password

CoinHive team further explained that the attackers were successful in hijacking their CloudFlare account by using a password that was leaked in Kickstarter breach back in 2014. This means CoinHive didn’t change its Cloudflare’s account password since last three years.

“We have learned hard lessons about security and used 2FA and unique passwords with all services since, but we neglected to update our years old CloudFlare account,” said CoinHive.

Your favorite site might be using your CPU to generate cryptocurrency

As mentioned above, The Pirate Bay was secretly running CoinHive’s cryptocurrency mining script. In response, the TPB team claimed it was a 24 hours test for alternative advertising, but a month later, the site was again caught secretly using CPU power of its visitors to generate digital currency.

One month ago again, two websites owned by CBS’s ShowTime were caught mining cryptocurrency using CPU of its visitors. That’s not it; researchers also discovered that hackers are infecting mods belonging to popular Grand Theft Auto V (GTA 5) video game with malware that uses user’s PC to generate digital coins.

Another report discovered that hackers are compromising websites and embedding cryptocurrency mining scripts in them to make money without the knowledge of website owners. Therefore users are urged to remain vigilant and check (by checking the site’s source code) if the site they are visiting is using their PC’s power to make big bucks. 

How to protect your PC from misuse?

Google is taking on the issue quite seriously. Therefore, Chome security team announced that it plans to release new security features which will block embedded cryptocurrency mining by default. Also, users can check Chrome extensions like minerBlock and No Coin blocking cryptocurrency minors.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.