
Starbucks cafe's wi-fi made computers mine crypto-currency - haZard_OS
http://www.bbc.com/news/technology-42338754
======
shak77
[https://news.ycombinator.com/item?id=15897811](https://news.ycombinator.com/item?id=15897811)

------
btrask
It's funny because if your computer is plugged in at a Starbucks, they're
mining with their own electricity. Whoever did this wasn't stealing from their
customers nearly so much as they were stealing from Starbucks themselves.

------
IncRnd
This wasn't the first, and it won't be the last.

    
    
      https://twitter.com/imnoah/status/936948776119537665/photo/1
      https://www.theverge.com/2017/9/26/16367620/showtime-cpu-cryptocurrency-monero-coinhive
      https://wccftech.com/the-pirate-bay-cryptojacking-mine-monero/
      https://coinhive.com/
    

From Coinhive:

    
    
      *Ad-Free Content
      Run your site without ads
    
      Coinhive offers a JavaScript miner for the Monero Blockchain 
      that you can embed in your website. Your users run the miner 
      directly in their Browser and mine XMR for you in turn for
      an ad-free experience, in-game currency or whatever 
      incentives you can come up with.*

~~~
minikites
There's a Twitter threading site that does this too:
[https://twitter.com/tttthreads/status/922503320765218816](https://twitter.com/tttthreads/status/922503320765218816)

~~~
IncRnd
I researched a little more from what you pointed out, and here is a list that
I found of pages that load the coin-hive miner, dated Sep 28.

[https://gist.github.com/PaulSec/029d198a1e049acead74c31db0de...](https://gist.github.com/PaulSec/029d198a1e049acead74c31db0de1466)

[https://twitter.com/paulwebsec/status/913055079112036352?lan...](https://twitter.com/paulwebsec/status/913055079112036352?lang=en)

------
kbart
I use my PC fan as a detector for nefarious scripts. If opening a site causes
a fan to run at its peak for more than few seconds, I close it immediately or
at least disable JS on it.

~~~
reustle
If you're on a Mac, I'm a huge fan of MenuMeters

[https://www.ragingmenace.com/software/menumeters/](https://www.ragingmenace.com/software/menumeters/)

~~~
gedrap
I like iStat for this purpose
[https://bjango.com/mac/istatmenus/](https://bjango.com/mac/istatmenus/)

------
osrec
It was the WiFi provider not Starbucks. I'm guessing they were doing this at
other cafes and hotels etc.

~~~
claudius
It was Starbucks’ wifi provider, selected by Starbucks and operating under
Starbucks’ supervision. This is 100% on Starbucks, not on anyone else.

~~~
Cthulhu_
So you're saying never to trust 3rd party providers? It's one for the legal
team I'd say; in this case Starbucks probably didn't provision for abuse or
time spent in the wifi portal in the contracts. Might have a case for causing
reputation damage.

~~~
vorotato
If it were my business I'd absolutely say that. Doesn't mean you shouldn't USE
3rd party providers but you should be very careful. That's obviously not
saying anything about legal responsibilities, of which I know nothing about.

------
IIAOPSW
meh

I'll take background mining over ads any day.

Users may bitch and moan now, but they'll come groveling back in no time.
Their outrage is no match for their lack of attention span and need for free
content. Soon enough background mining will be as un-newsworthy as banner ads.

~~~
gambiting
Except that majority of PC users are on laptops, and mining in the background
WILL make your fan go nuts, which is not what you want as a user. On my
desktop - sure, I won't even notice. But on a laptop, where the fan stays
off/low rpm when just browsing? Nope.

~~~
drngdds
Battery life is an even bigger issue. I don't want to see ads, but I also
don't want my phone or laptop's battery being drained so the site owner can
get a few fractions of a penny.

------
Legogris
If you don't use VPN, this is one more reason to make sure to exclusively use
HTTPS.

~~~
maxencecornet
HTTPS or not, the mining script will work

~~~
theodorton
But the Wifi provider can't inject their own mining script on arbitrary sites
with https.

~~~
jamiethompson
This wasn't injected though. It's a splash screen that pretends to load for 10
seconds (whilst mining) before forwarding the user on to some starbucks
rewards site.

------
roberdam
Fun to see who else is doing this: [https://nerdydata.com/search?query=coin-
hive](https://nerdydata.com/search?query=coin-hive)

------
emodendroket
I can't see how the security researcher's advice helps anyone.

~~~
jamiethompson
It's good advice but completely irrelevant to this incident.

------
krisdol
This was isolated to one cafe in Argentina.

~~~
jamiethompson
The OP on twitter states otherwise. It was observed by him in several
Starbucks locations in Argentina.

[https://twitter.com/imnoah/status/941050946100097024](https://twitter.com/imnoah/status/941050946100097024)

------
nvr219
How does this work?

~~~
tyingq
See [https://coinhive.com](https://coinhive.com)

It mines Monero using JavaScript. Best suited for sites where you sit on one
page for a long time, and where there's lots of visitors.

Often, it turns out that it isn't the site owner doing it, but rather, they
were hacked, and someone injected the JavaScript.

------
homero
Yeah in Buenos Aires

