For 4 minutes On Saturday 28th of April two of our beefy bare-metal processing servers were under a sustained 100% load on all cores, after which the root cause was identified, processes killed, and the offending account blocked. Just over 1 hour later a patch had been developed, tested, and rolled out to all processing nodes. Now for the juicy details.
So to sum up, we've seen JS crypto mining running in YouTube adverts, Man in the Middle attacks, and now in cloud APIs such as our own. In hindsight, this was an obvious exploit that we should have seen coming a mile off. We take solace in the fact that our resources were not abused for more than 5 minutes and we are now smarter and better protected for it.
Just to be clear: NO user data was ever at risk or exposed, not even in the slightest. The crypto currency mining took place in our headless environments, and exclusively on our processing servers, which are physically separate from our app server. The processing servers do not hold ANY customer data whatsoever and were never under any unauthorised access. We have published this post simply because the exploit was novel and interesting: it's always fun seeing the lengths people will go to for a few cents.
As a closing note, we actually support* browser crypto mining. Websites need to be monetised, and ads are increasingly not passing muster at this point. If our own CPU cycles are to be used as payment for viewing free content online we'd far prefer the method of action to be Monero mining than web pages with 3 auto play video ads, 6 banners, 5 tracking beacons, and 30Mbs of additional data. Not to mention the security risk that 3rd party advertisement networks have been shown to be on countless occasions.
* Our support extends only to throttled consensual mining which is auto-disabled on devices with batteries like laptops and phones. Such a task would be simple to achieve using the HTML5 battery API or simple user agent checks. Easy to block too, yes, but so are traditional display ads.
Stating using WebCargo FREE today!