Kingston public library website among thousands affected in massive crypto-currency mining hack

For a short period of time over the weekend, thousands of institution and government websites were covertly mining crypto-currency 

Cryptocurrency is an independent form of digital currency.

Over the weekend, Kingston’s public library website was one of thousands affected by a large-scale cyber attack. The hack didn’t compromise any personal information, but instead mined crypto-currency using the website’s computational power.

The attack was uncovered on Sunday by UK security researcher Scott Helme. Helme posted several screenshots on Twitter of the code running on major government websites like the UK’s National Health Service and the United States Courts. 

Helme explained hackers compromised a third-party program called Browsealoud. The service is designed to make websites more accessible for the visually impaired. Hackers were able to insert code into the websites of thousands of users. Over 4,000 sites were affected by the hack.

“It could have been a catastrophe; it really could have — that’s not just scare-mongering. We were exceptionally lucky this was so mild and so quickly found,” Helme told Motherboard on Monday.

Texthelp, the parent company of Browsealoud, issued a statement on Sunday addressing the attack. The statement called the breach “a criminal act” and indicated that “a thorough investigation is currently underway.”

A screenshot of the Kingston library website, with the problematic code highlighted in blue.

Lester Webb, Director of Outreach and Technology at the Kingston Frontenac Public Library told The Journal in an interview that he takes these issues “very seriously.”

Webb said his biggest concern was that information might have been breached. However, he said “[Browsealoud] assured us in an email many times that no private information and been breached.” He added it “took away some of the original alarm.”

Webb called the hack’s purpose “illegal,” and said library staff “need to be vigilant.”

“What we’re finding is that this kind of attack on government sites is becoming more and more prevalent. We review and evaluate our security a lot. Things still seems to sneak through,” he said.

David Skillicorn, a professor of Computer Science at Queen’s told The Journal, “the problem is with a tool like [Browsealoud], it has to run in your browser to do the functionality that you have it for. You’re kind of stuck, because you can’t turn that off and can’t really tell if it’s doing more than just reading to you.”

Skillicorn explained that rather than stealing information, “[the hackers] were essentially stealing electricity from the library to do Bitcoin mining.” 

“The problem is that the existence of Bitcoin and other crypto-currencies have suddenly created this market for computation that turns directly into money. There are all sorts of people trying to exploit that new avenue to make money,” he said. 

“There is money to be made and all sorts of people — some of them you wouldn’t expect — are leaping into this fight,” Skillicorn continued.

Kingston public library will have its Browsealoud option back up and running by Thursday.

All final editorial decisions are made by the Editor(s)-in-Chief and/or the Managing Editor. Authors should not be contacted, targeted, or harassed under any circumstances. If you have any grievances with this article, please direct your comments to journal_editors@ams.queensu.ca.

When commenting, be considerate and respectful of writers and fellow commenters. Try to stay on topic. Spam and comments that are hateful or discriminatory will be deleted. Our full commenting policy can be read here.