Distributed Mining in the Browser

Recently I visited a website whilst browsing around and after a few minutes of reading I noticed my Mac's fans spinning up in an unusual flurry of activity for such a light task, so I decided to dig around under the hood to see what was going on and low and behold the Google Chrome Helper process was eating almost all 8 of my cores O_o. What was causing this? I only had one site open so I decided to restart the browser and open the same page again incase Google Chrome had a panic attack for no apparent reason, however the same symptoms occured, time to take a look under the hood...

There wasn't alot going on in the JS console pane so I turned to look at the network activity, then I spotted something odd, a websocket that was pretty chatty long after the page had loaded which appeared to be initated from some JavaScript with Miner in the function names. Suddenly it was immediately obvious that my browser was being enslaved as a CPU miner for some crypto currency implemented completely in JS.

Initially I was pretty angry to think that just by visiting a website I had opened my CPU up to unauthorised usage even if it is secured within the confines of my browser, and then I thought, what is the point when typically CPU mining is not worth bothering with in most currencies and a JS based miner must be even worst! I started looking into the script and found it was from coinhive.com so I moved over to the Coinhive website to try and find out more info. Turns out the JS miner mines Monero which instead of the usual hashing algorithms seen in other currencies utilises Cryptonight a much heavier algorithm which sees little benefit from GPU / ASIC mining.

Interestingly Coinhive has come up with some interesting use cases and ideas about why this may be useful for a site other than earning the publisher some additional revenue such as a proof of work captcha, a URL shortener which mines for a short period instead of showing an intersitial advert and of course incentivising your users to mine on your behalf whilst rewarding them with some bonus such as in game money, file downloads or ad free browsing.

Of course there is an easy way to stop sites from hijacking your CPU power by simply disabling JavaScript or by using a plugin like NoScript, although in a JavaScript and AJAX heavy world this will soon be a pain. I used to run NoScript for a few years although I got increasingly fustrated by sites not working as I expected and having to add many exceptions just to use the internet without a fuss.

It has probably become apparent by now if you do not have JS disabled that I have in fact dumped Coinhive on this page, especially if you are on a laptop and the fan is spinning up, or if your mobile device is getting hot to the touch. You are probably feeling the same feeling I felt when I first stumbled onto a site running this script, the ethics are still open for discussion on this one, part of me tells me its a pretty cool way to help web masters suck every last penny from their site to help with those hosting costs and it's not really any different to those pesky Adsense advertisements. Another part of me says it goes to far as it essentially consumes a disproportionate amount of power in the viewers browser for no gain to the site visitor. Of course, some will say it's the end users fault for not taking reasonable precautions against Javascript workloads running in their browser just like the arguement that a user can always install ad blocking browser extensions. There have already been a few cases where in browser mining has caused a commotion such as Pirate Bay (no real suprises there) and CBS' Showtime.

It will be interesting to see how this mindset pans out, will the use cases end with in browser currency mining, or will we see other workloads being ran in clients browsers? Will we see this type of activity getting flagged as malicious? Is it really malicious or is it just frowned upon? Is it ok to ask users if they'd like to donate their CPU on a site rather than just stealing it? Is it really stealing it or is it fair if someone stumbles onto your slice of the internet that they contribute something back, a bit like taking a gift or bottle of wine when visiting a friend for dinner? All these questions and more remain to be answered with time.

If you'd like to give it a go yourself you'll need to grab a Monero wallet much like with any other crypto currency, I personally dislike online wallets and prefer to grab the client and have my wallet locally on a host I can (hopefully) keep control of. Then head on over to http://www.coinhive.com and sign up for an account and add their JS along with your API key to your website. When visiting your site you'll notice your hash count rise in the Coinhive dashboard as your browser mines. The mining happens very much in a pool like fashion and each user can provide a small amount of hashes during their visit. Once you reach 0.5 XMR you can transfer out to your wallet / exchange. Bear in mind this activity may be seen as frowned upon by some of your visitors and it may not go down too well!

By @Robert Putt in
Tags : #internet, #security, #technology,