
Ad campaign runs cryptocurrency miners while unwitting users watch videos - spystath
https://arstechnica.com/information-technology/2018/01/now-even-youtube-serves-ads-with-cpu-draining-cryptocurrency-miners
======
f1notformula1
I don't understand enough about the ad business to answer this myself. If
there's a legitimate reason to allow 3p scripts to run code - it would seem
like creating a domain specific language that Google safely translates into JS
would be so much better. Allowing 3Ps to run arbitrary JS just seems so
shockingly wrong.

No amount of manual auditing can catch malicious code. It's way too complex
for a human to parse.

Is there a legitimate business need that anyone's aware of to have code run in
Ads? If so, why not use a DSL?

~~~
nopriorarrests
I don't know anything about JS-based cryptomining, but I wonder if you can't
stop such ads without breaking 90% of legit ads.

I mean, it's all probably boils down to number-crunching? So DSL you are
envisioning should block really basic language parts, like cycles and math
operations.

If I'm wrong and mining actually could be easily blocked on language level
using some DSL, I'm all ears.

~~~
mcphage
It would be nice if things could be blocked by CPU usage... even if you’re not
mining cryptocurrency, if your ad uses more then 5% of my CPU it should be
killed.

~~~
mgleason_3
...and total CPU Time.

Interesting, just noticed that watching a Udemy course uses %98 CPU (in
Activity Monitor on a MBP). This even if playback if paused. Wonder if they're
doing something similar or it's just a lame implementation?

~~~
Crespyl
I've seen some software video decoders do that at times, though if it's
happening even while paused it's a little unusual (maybe decoding buffered
frames?).

------
richdougherty
The ads are in iframes with sandbox="allow-scripts". (Seen in
[https://i2.wp.com/diegobetto.com/site/wp-
content/uploads/201...](https://i2.wp.com/diegobetto.com/site/wp-
content/uploads/2018/01/2018-01-25-16_14_23-First-Look_-RC522-RFID-
Reader_Writer-4-on-eBay-YouTube.png?w=1618&ssl=1))

I hereby request more sandbox options so we can limit untrusted code properly:

<iframe ... sandbox="allow-scripts limit-cpu=10 limit-gpu=1 limit-bandwidth=5
limit-animation=10">

[https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/if...](https://developer.mozilla.org/en-
US/docs/Web/HTML/Element/iframe#attr-sandbox)

~~~
tomc1985
How about get rid of allow-scripts. Kinda like what they did with
window.onbeforeunload

------
quasse
I had no idea that Google Adwords allowed advertisers to run arbitrary
Javascript in user's browsers because that just seems so monumentally stupid.

Is that their general policy or was this some kind of script injection input
cleansing fuckup on their part?

~~~
advisedwang
This is very common, and isn't just Google Adwords. Advertisers, or rather the
ad-tech companies they user, want to do this to verify that ad views are
'legitimate' and gather extra data to help them bid. Without this advertisers
have to trust ad exchanges to play fair, which of course they don't have any
incentive to do.

This is just yet another reason "Ads pay for content on the internet" hurts
everyone.

~~~
hazelnut
And they said the internet will be safer without Flash

~~~
534b44a
Flash wasn't open, they should had made their own browser when they still had
the chance. One can still do some aggressive fingerprinting using new browser
technologies.

------
tripzilch
Why the hell are YouTube ads allowed to run 3rd party javascript, and _since
when??_

That's the biggest question not answered by Google. Why wasn't there a big
outcry when this became possible? They can do all sorts of shit, not just mine
crypto.

This used to be the single biggest thing _not_ to do. The possibility of
running 3rd party Javascript in Google's ad networks used to be one of the
biggest nightmare scenarios if it got exploited, but the article (or the
Google rep) doesn't mention anything about an exploit, it's as if 3rd party
javascript running on their ad network is expected behaviour, just the fact
that it's running a crypto miner isn't?!

There's no way in hell I am ever going to not block Google's ads after this.
"Youtubers" and "Content Creators" can cry all they want over whitelisting
their channel or site in particular because of all the hard work etc, but not
if they want me to run a hostile ad network's code.

~~~
stinky613
Google has served malicious ads at least as far back as last spring:

[https://www.reddit.com/r/sysadmin/comments/6rm5ig/alert_full...](https://www.reddit.com/r/sysadmin/comments/6rm5ig/alert_fullscreen_scam_sites_have_started/)

[https://news.ycombinator.com/item?id=14140756](https://news.ycombinator.com/item?id=14140756)

~~~
tripzilch
Cool, thanks :) But I'm actually even more interested since when Google
started _allowing_ 3rd party javascript, because the moment when it first got
exploited maliciously was just a matter of time. I mean I seriously want to
read Google's announcement of this "feature", because I'm honestly scratching
my head "wtf were they thinking??".

Just so I got this right: You can buy a particular type of ads on Google's ad-
platform, that will appear on sites and things depending on your target
criteria. AFAIK you used to be able control these aspects of the ad: The text
shown if it's a text ad, a picture if it's a banner ad, where the ad should
link to, and probably a few cosmetic details. Any tracking cookies and
analysis would be done either by generic Google Ads javascript (the results of
which you can query in your Ads dashboard/control panel) and by whatever
additional tracking javascript you set up yourself on the destination site the
ad links to.

But apparently, at some point, advertisers got the ability to _run their own
(3rd party) javascript_ that will get executed on any site that displays your
ad. I'm assuming they use a clever subdomain/iframe trick so that the security
context of the JS is just that one domain and doesn't UXSS the world. And sure
let's assume this is perfectly watertight. If it wasn't we would be talking
about worse stuff than crypto-miners.

 _Then still_ this script is apparently not prohibited from doing whatever
calculations (for mining or whatever), accessing whichever browser
fingerprinting variables, mouse tracking and whatnot, you can load and execute
remote scripts based on this fingerprinting and easily sidestep any of
Google's scrutiny whether your script is up to no good. Not that they do this
"because it doesn't scale", but it would be useless any way. And then, this
script is able to _ex-filtrate_ all this tracking or mining data. I'm aware
that disallowing these abilities strictly and securely is just not really
possible in JS, there's too many strange ways to access objects and functions,
weird tricks, etc.

Did I get this right so far? Because I'm really a bit with my jaw on the
floor, how the hell did they approve this and not realize it's a landmine?

I'm nearly certain that it must be possible to do other nasty tricks besides
consuming 80% CPU for inefficient crypto-mining. If it's that many people (by
now let's call them zombie nodes or a botnet, which is what Google Ads
apparently gives you) all running your code, you can also use them to DDoS a
site. But if you're just a dick, you can also attack the people themselves.
Most browsers have the cross-domain security down tight, but nearly all of
them have multiple "vulnerabilities" that DoS the browser itself, make it
unresponsive, make it crash (yeah multiple tabs, even if they have their own
threads) or even make the whole system (yeah outside the browser) unstable,
unresponsive or crashy. Maybe not your tweaked/bolted down Linux system, but
the average user's mildly clogged up Win10, easy.

Can these scripts also track and log keypresses or is that somehow separated
because of cross-domain / iframe protection? (it's been a while since I got
real deep into JS security) Because that would be a vulnerability.

So. Many. Possibilities. For. Fuckery.

------
tbyehl
What is the anti-ad-blocking crusaders' response to Google's inability to keep
their content sites free of malicious advertisements?

If I can't trust that YouTube won't serve malicious ads to my PC, who the hell
could I trust?

~~~
fauigerzigerk
The problem with crusaders on either side is that they conveniently ignore or
deny the trade-offs. Advertising based business models come with certain
dangers and annoyances. Paying for content and services directly also comes
with dangers and annoyances.

The reason why I don't use ad-blockers (yet) is that I fear complete loss of
anonymity and even greater censorship powers for governments if everything
becomes a pay service. Payments are the most tightly regulated and monitored
thing on the planet. At the same time you're exposed to credit card fraud and
identity theft.

------
cup-of-tea
Remember when Google ads were considered not too bad? Just boxes of text when
everything else was flashing and making noises. That was a big part of Google
becoming popular and now it's gone.

~~~
api
Advertising is always a race to the bottom.

------
quanticle
This is why I run an adblocker, even for so-called "trustworthy" sites. When
even top-tier networks like Doubleclick aren't doing the necessary due
diligence to prevent malicious ads, what can I do as a user but block _all_
ads, even while knowing this hurts the content creators who use those ads for
revenue?

~~~
jasonkostempski
It's never been your responsibility to run that code. If it had never been
allowed, ad-tech would have found another way. They built an industry on a
horrible assumption and now it's their job to fix it. Everyone can still fall
back to affiliate links if they want, but I doubt most will any time soon.

~~~
Globz
This! It their job to fix this mess, the burden of finding a better
alternative doesn't lie with us.

I have no once of guilt related to blocking ads, if you can't pay the upkeep
of your website and you haven't found any meaningful way for user
contributions then that's on you and if you still serve ads because that's the
only sane solution for your monetary problem then you should expect some users
to block those ads and conclude that both parties did what they thought was
best given this horrible situation.

Affiliate links are great and more people should really consider going back to
this model.

~~~
chii
let me play the devil's advocate and argue that ad supported content is
responsible for somee of the biggest chunk of the internet, and if it hadn't
been for such business model, the internet would not have been as amazing as
it is today.

sites like 9gag, 4chan or Reddit, or other such sites is where net culture
breed. these sites are not going to have the same feel if it had been
subscription supported, as large swarves of users who have no money to
contribute, but have content and creativity would've been locked out.

------
coolio2657
>Both scripts are programmed to consume 80 percent of a visitor's CPU, leaving
just barely enough resources for it to function.

How on Earth do ads not undergo the most basic "does it eat up 80 PERCENT OF A
USER'S CPU" tests before they're allowed on one's network?

There is no amazing hacking going on here besides a lack of security control,
but there is a substantially larger story hiding here somewhere.

~~~
0x0
At the very least I'm sure the script checks a few simple conditions before
unleashing the miner, such as current date, ip, language prefs, possibly a
"go/no-go" boolean hosted on some random webserver, to evade any pre-screening
before being accepted into the ad rotation.

~~~
monocasa
I've heard of something similar whee drivers (partiularly graphics) trying to
get WHQL cert will check for a special registry entry, and only if its present
will do the ridiculous unsafe things like directly patching the IDT to get the
performance they want, but will play nice otherwise so they pass cert.

------
zeta0134
I was never at risk for this kind of attack due to my ad blocker, but I can't
help but wonder why the ad was allowed to run in the first place. Surely
Google of all people have the resources to do analysis of javascript code that
is submitted by an advertiser, and not push it out to the platform if this
kind of stuff is detected. This isn't even that hard to automate: does the ad
use excessive amounts of CPU while loaded? Reject it!

Of course if the advertiser is allowed to load their own unverified third-
party javascript from anywhere, these kinds of things can and will continue to
happen. That's why I don't run third party embeds in my browser, and I don't
think anyone should. (An unpopular opinion, I know.)

~~~
thenewwazoo

      if (running_in_youtube()) {
        mine_coin();
      } else {
        return;
      }

~~~
jMyles
Surely Google operates a sandbox sufficiently similar to the ad environment to
foil such a scheme, no?

~~~
UncleMeat
Cloaking is a hard problem. People have a massive monetary incentive to
improve cloaking tools, meaning that basically every technique you can think
of to detect malicious behavior dynamically has a finite timeframe to where it
is no longer useful.

Ad networks almost certainly have a system to detect cloaking. It is almost
certainly not detecting all malicious scripts.

------
pmoriarty
I really hope this leads to the death of javascript in the browser, or at
least in ads.

~~~
floren
I seem to remember way back in the day that you could advertise with Slashdot
(and others, I'm sure) by giving them an image (static or animated GIF) of
specific dimensions, the URL that image should lead to, and obviously some
cash. That was pretty great because they kept it reasonably unobtrusive and
there wasn't any javascript.

I'd rather see Javascript dead, though :)

~~~
rhizome
_I seem to remember way back in the day that you could advertise with Slashdot
(and others, I 'm sure) by giving them an image (static or animated GIF) of
specific dimensions, the URL that image should lead to, and obviously some
cash_

Right, direct advertising. IIRC, anybody who seriously suggests it is
routinely shouted down as impractical.

~~~
always_good
Well, the first problem is that only a relative few sites are big enough to do
direct advertising. The harder question is how to keep web content
decentralized by decentralizing means to revenue, a battle we are aggressively
losing.

~~~
rhizome
I don't know what your second sentence means, but why do you have to be large
to do direct advertising?

------
ABCLAW
Somewhere, someone said to their business partners "Why, what if we decided to
chew through the useful economic life of someone else's assets without telling
them?" and the people in the room said "Sure, lets go get it done".

~~~
kej
Now I'm curious if it was a company decision or just a lone developer who
realized he could toss that in and nobody would catch it.

------
zython
There is no reason why ads aren't just plain text, video or animated vector
graphics. There is literally no reason to allow them more (read; execute
javascript).

If anyone comes up with a valid reason I will invest all my life savings into
garlicoin.

~~~
olleromam91
Did you hover your mouse over the ad? Did you click? How many times have you
viewed it?

That's all useful information to the advertiser.

~~~
CaptSpify
Useful to the advertiser != a valid reason

A camera in my office watching me all day would be useful to the advertiser.
That doesn't make it a valid reason to put one there

------
danjoc
This, shortly after youtube went all JS. With JS disabled, it's just a blank
page now. I'm glad I disable JS. Saves me a ton of data bandwidth and protects
me from advertisers. There's just not a lot of upside to my using JS anymore
these days. Some big sites might not work, but that turns out to my benefit.

These antics put the whole JS ecosystem at risk. Remember how normies figured
out cookies were bad and turned them off? Even Tony Soprano was talking about
turning off cookies. This can be much worse. Might actually kill the web and
push everyone off to native apps for good.

~~~
nugi
JS dying would be a boon to the open internet imho.

------
pixelperfect
Funny idea: a long form journalism site could intentionally and openly embed
such a script, allowing readers to make "micropayments" of lent CPU time to
the site while they read articles.

~~~
jzwinck
Three problems:

1\. It would not make sense to run on mobile.

2\. Mining this way is inefficient, so if the site gets one penny worth of
work done, it costs me five pennies.

3\. Unless readers have decent GPUs, it's probably not enough money.

~~~
tripzilch
I'm pretty sure the factor five in your second point is in reality _way_ worse
than that, probably (wild guess) at least over 25x.

Mining is not only inefficient when implemented in JS (even with the web asm
stuff, many clients have no support), or when it runs on crappy or old
hardware, it also depends on what your electricity costs. Pro-miners put their
farms in locations where electricity is super cheap, often in the middle of
nowhere, perhaps near a hydro dam. Most clients are on a laptop or mobile in a
city, where electricity is much more expensive, and their electric efficiency
is made worse because they run it off battery.

Distributed crypto-mining for micropayments via embedded JS is such a _huge_
waste, I'd probably have more problems if I _knew_ the site was doing that,
for the guilt of wasting that electricity while reading, just so the author
can inefficiently receive a few fractions of a cent. I might even ( _gasp_ )
rather watch a video ad instead.

------
anfilt
Javascript was the bigest mistake to add to the web standards.

However, the web standards themselves are unnecessarily complex. W3C and
WHATWG are partly to blame. Remember HTML was supposed to be a document that
the user could change the styling of similar to how some gopher clients would
let user change the look of how you viewed all content.

However, that is kinda ancient history these days. However, the web standards
need to make a new format that breaks backwards compatibility. An app based
format, and a document only format. Sadly, I don't see this happening.

\--EDIT-- Also a lot of web designed don't care if their site does not work if
JS disabled...

If I were to rework the standards. I would make any syntax for standard
defined languages quite strict. Further, for document based content make sure
content is always readable with out freaking stupid dynamic eye candy.

~~~
talmand
As per my usual, let's not blame the tool for the bad use of said tool.

------
DandyDev
Google can build software that can autonomously learn how to beat humans at
the hardest games in existence (or buy a company that builds said software),
but it cannot detect malicious code in ads before serving those ads...

I call bullshit

~~~
slrz
How would you go about deciding reliably whether a given Javascript program
would perform a malicious computation on certain inputs? As the concept of
malice seems somewhat hard to pin down, let's simplify the problem a bit: it's
enough to decide whether that JS code stops at all or if it would just run
forever. How to get that ad smasher written?

------
Animats
With WebAssembly, such things will be even harder to find!

------
MattGrommes
Oh, I wonder why oh why do people use ad blockers?

------
seangrant
Wait, what?? I can inject my own Javascript into Google ads? How is this done?

~~~
Macha
[https://www.iab.net/vpaid](https://www.iab.net/vpaid)

Similar things exist for older ad types, they're just less standardised.

~~~
Macha
Since I just grabbed the first link from DDG, and failed to check if it was
working, here's a corrected link:

[https://www.iab.com/guidelines/digital-video-player-ad-
inter...](https://www.iab.com/guidelines/digital-video-player-ad-interface-
definition-vpaid-2-0/)

------
rhizome
I'd love it if there was a way to monkeypatch JS functions in the browser
(like we do for styling in userChrome.css) so that ones that BTC relies on
become no-ops.

~~~
fulafel
There is, see Tampermonkey/Greasemonkey.

~~~
rhizome
I use Tampermonkey, can you be more specific?

~~~
fulafel
You can provide user specified JS to run in web page contexts and eg do monkey
patching.

------
bkohlmann
What strikes me about this is actually tangential to the specific issue the
article addresses.

New technologies push the bounds of opportunity and risk. Folks trying to take
advantage of the upside will exploit anything to achieve their goals. In the
process, natural systems will emerge to combat them and close the exploits.
This amoral process actually leads to emergent, unanticipated outcomes. You
actually NEED the chaos upfront for society to eventually discover a stable
equilibrium.

All the negative externalities from BitCoin / blockchain are really just a
naturally occurring shake out of kinks. Much like the wild experiments and
exploits of the 90s eventually led to the equilibrium we have for the current
Web.

------
digitalsin
This is one big reason I love Brave as a web browser. You don't deal with this
crap.

~~~
angryasian
Well brave does intend on displaying ads at some point. Without knowing their
exact implementation as to what ads will be displayed it might be possible
eventually.

~~~
digitalsin
True, but they're off by default

------
Scoundreller
Adsense has a new feature where publishers can turn off low-value ads, and it
estimates how much ad revenue you'll keep.

(For web publishers, no idea about video pubs)

In my case, I can turn off 33% of all ads and still earn 99% of revenue.

Turning off 50% will earn me 95% of ad revenues.

Turning off 90% of ads will earn me 67% of ad revenues.

The pareto principle is strong.

------
debt
The hilarious thing about this is that so what why not? Can't I opt to let
another co-opt my cpu while I watch videos so that I don't have to watch ads?

I'd much prefer people using my cpu to mine bitcoin than to render some shitty
ad.

This is actually a fascinating development in this space.

~~~
klodolph
The payoff isn't good enough for this to support add-free services, and the
payoff gets worse as crypto becomes more popular. Then there's the fact that
you might be browsing from a battery-powered device.

~~~
nopriorarrests
>The payoff isn't good enough for this to support add-free services

Hmm, wait. How it works, then?

Let's say I'm paying 1$ to display malicious ad which mines something. BTC.

If amount of mined BTC is lower than 1$, the whole operations becomes
unprofitable. Why should I pay 1$ to mine 90 cents via ad?

If people are running this operation on scale, it should be profitable. But
then payoff is by definition good enough to support ad-free service. Instead
of taking 1$ from advertiser, google can theoretically mine 1$ on my PC and
let me watch video without ads.

What do I miss?

~~~
sigstoat
you still get to display an advertisement. so it isn't "mined BTC > $1 -->
success"; it is "mined BTC + expected value of running scam ad > $1 -->
success"

~~~
debt
I think his point was a hypothetical without the advertising component. Like
if they just embedded bitcoin miners in every page that displayed a youtube
video.

------
yorby
Does Chrome's ad blocker block those? I wouldn't know because I don't trust
Chrome.

------
SubiculumCode
I'm sure someone is already developing it if it's a good idea, but it seems
that instead of ad revenue, internet content could be paid for by cryptomining
while consuming their content.

~~~
SubiculumCode
The advantage of a cryptomining internet economy instead of an adtracking
internet is the privacy benefit.

------
caresource_ta
This tittle is misleading, maybe something like "Attackers abuse ad platform
to serve cryptocurreny mining ads on YouTube".

~~~
nugi
The title seems factual to me.

~~~
caresource_ta
The original title was something to the effect of "YouTube now using CPU
draining cryptocurrency miner in ads."

------
rapnie
could this kind of thing also be on m.huffpost.com?

when reading articles there my android cpu goes all-in, phone getting hot..

avoiding the site now :)

------
lousken
another reason to use youtube-dl

------
craftyguy
what are the favorite alternatives to youtube?

~~~
emh68
YouTube Red?

~~~
rhizome
Does YTR allow me to turn off annotations permanently?

~~~
fossuser
I think you can actually do this without having a YouTube Red account - it's
under youtube settings and then under playback (there's a checkbox for
annotations).

I'm using the Red free trial (it's 3 months) and it's actually pretty nice to
have more control over the experience and not have to deal with ads. I found
the ublock origin wasn't perfectly effective on YouTube anyway.

If only FB offered a $10 a month no ad subscription it'd be a lot nicer to use
too.

~~~
rhizome
Yes, there's a UI control for it, but Google regularly resets it. It's
basically as effective as setting your Facebook timeline to "Recent first."

------
tripzilch
In addition to simply being rather pissed off about all of this, I was just
wondering (don't worry--I'd rather just block ads than actually be arsed to
implement it):

If your browser becomes a node in a crypto-mining network, it'll start number
crunching and occasionally send the results to some central server for
collection.

What if your browser doesn't play nice? What if it sends bad or misleading
data?

I'm not sure how Monero exactly does its thing, but I know that for Bitcoin it
goes a little something like this[0]: You start out with a quasi-random
"salt", I think it comes from the previous block. Then you append a bunch of
random bytes to that salt, and hash it (SHA256? or some popular hash function,
anyway). The goal is to find just the right random bytes so that the hashed
value has the longest run of ones as its least-significant bits. If the length
of that run is equal or longer than the current "difficulty level", then
you're the lucky winner and you just mined a block of bitcoin! These correct
random bytes are hard to find, you have to bruteforce them, but super easy to
check: just one hash and see if it has a long enough run of ones.

Because even on decent hardware, odds of personally mining a block are in the
order of once-a-year-maybe, people often join mining pools that share the
profit. I'm not sure how they make sure everyone in the pool plays fair and
divide up the profit based on the amount of work they put in (or amount of
hashes they checked). The crypto-miner obviously joins a pool because with the
shitty performance of stolen CPU-time over millions of people visiting an
infected site for a few seconds, they kind of have to if they want a payout
more often than once-a-decade-perhaps-not-even.

Can you mess this up for whoever owns the pool account that the distributed
cryptominers send their data to? I suppose if that miner's account tries to
scam the pool and report way more hashes checked than they actually did, or
something like that, would it ban the account and lose all profit up till
then?

What if your browser just reports any bunch of random bytes as "nope, that's
not it", without even bothering to hash it? What if one of those just happens
to be the winning bytes and it gets discarded and never tested again? Does it
even work like that or do the JS miners just pick a random value to append to
the salt, hash and test (with the risk of trying certain values more than
once).

Even then, I'm certain that you can bugger up whatever protocol these hostile
JS miners use, and cause all _sorts_ of "interesting" and costly misbehaviour
in the pool. Though I should read up on how these things actually work, the
above is just vague guesses based on what I know about bitcoin's
crypto/protocol/algorithm (I actually did read the whitepaper once, but it was
maybe a decade ago or so) and even vaguer guesses on how these mining pools
work (that I haven't digged in to very much).

[0] I'm probably wrong about some details because it's been a while since I
read that whitepaper, so correct me if they're interesting details :)

------
HenryBemis
And talking about filthy ads, the one served by Arstechnica [1] tells me
"Warning - Your computer is infected.. blah blah blah.. Download Free
Antivirus..blah blah..".

And it's not even a 3rd party one.

[1]: [https://cdn.arstechnica.net/wp-
content/uploads/2018/01/ad.jp...](https://cdn.arstechnica.net/wp-
content/uploads/2018/01/ad.jpg)

~~~
haldean
That's an image of the malicious ad from YouTube that the article is about...

~~~
HenryBemis
You are both very correct. I browsed through the article really fast and
skipped many lines. The light-grey in my comment is well deserved!

