For 4 minutes On Saturday 28th of April two of our beefy bare-metal processing servers were under a sustained 100% load on all cores, after which the root cause was identified, processes killed, and the offending account blocked. Just over 1 hour later a patch had been developed, tested, and rolled out to all processing nodes. Now for the juicy details.

To provide our Screenshot-as-a-Service API we maintain a number of full-fat processing servers running behind a load balancer located at api.webcargo.io. Each of these servers run our full suite of services including headless versions of real web-browsers, such as Google's Chrome. On Saturday, a new customer joined our services and began to send requests to our API to generate a screenshot of a page containing only a CoinHive JavaScript crypto-currency mining script. The request also specified that our API should wait the maximum amount of seconds allowed until it took the screenshot and closed the browser session. These parameters allowed the client to run each request for 25 seconds, running multiple requests concurrently, thus achieving the sustained load. Simple but effective with no opportunity cost on the attackers behalf.

So to sum up, we've seen JS crypto mining running in YouTube adverts, Man in the Middle attacks, and now in cloud APIs such as our own. In hindsight, this was an obvious exploit that we should have seen coming a mile off. We take solace in the fact that our resources were not abused for more than 5 minutes and we are now smarter and better protected for it.

Just to be clear: NO user data was ever at risk or exposed, not even in the slightest. The crypto currency mining took place in our headless environments, and exclusively on our processing servers, which are physically separate from our app server. The processing servers do not hold ANY customer data whatsoever and were never under any unauthorised access. We have published this post simply because the exploit was novel and interesting: it's always fun seeing the lengths people will go to for a few cents.

As a closing note, we actually support* browser crypto mining. Websites need to be monetised, and ads are increasingly not passing muster at this point. If our own CPU cycles are to be used as payment for viewing free content online we'd far prefer the method of action to be Monero mining than web pages with 3 auto play video ads, 6 banners, 5 tracking beacons, and 30Mbs of additional data. Not to mention the security risk that 3rd party advertisement networks have been shown to be on countless occasions.

* Our support extends only to throttled consensual mining which is auto-disabled on devices with batteries like laptops and phones. Such a task would be simple to achieve using the HTML5 battery API or simple user agent checks. Easy to block too, yes, but so are traditional display ads.



Stating using WebCargo FREE today!