Twitter, the bad and the ugly (aka. where IT Security failed)
During the last days, a web app has been spotted as mining illegally some crypto currencies. Instead of what softwares and “specialists” said, the site asked for permission before mining to replace ads. So why did they have their Twitter API Account suspended?
Disclaimer: the website is Affinitweet.com. I didn’t have any relations with them before the incident.Then I spoke with the lead dev of this project and now, I follow his personal account to get some news about the subject. I’m also not an IT security expert, and I’m open on this subject.
I : The bad
As I mentioned in the introduction, this is a very recent case. Last Friday (9th February 2018), a tweet appeared in my timeline saying that Affinitweet.com uses some script to mine crypto currencies. I was interested by this, because some friends used this website for a “Valentine follower”, and I didn’t expect a mainstream website to do something like that.
I went on the website, and checked the source code provided by a Webpack server. And yes, there was a Coinhive miner in the source. But before I posted something on it, a friend told me to take a look at conditions before Coinhive starts.
I was wrong. The miner starts mining only when monetization option is enabled. That’s the same thing I had written in this fiddle: https://jsfiddle.net/aamulumi/fm9jmvqf/4/. I made this when Coinhive appeared on Internet and I thought it can be a good solution to replace ads.
This is exactly the same reason behind the use of Coinhive in Affinitweet.com. They propose mining instead of ads for logged users. And this is not hidden at all.
At this time, we’re at the first step of the story. Some users are complaining because their antivirus/antimalware/adblocker detected a malicious script. Here’s the kind of UI you can see with these softwares:
If you’re someone interested in IT, it can be funny to see that. But now, let’s be your mother, your father or any simple Internet consumer. If you see this window, you will think: “What the f*** have I done? Holy s*** close this window!”. Yeah. That’s not funny at all, because your website is considered like any others damaging websites. Why? Just because some people used the same script for bad purposes. :)
The problem with Coinhive isn’t the script. I read it, I also read the asmjs miner, and there’s nothing bad inside. The real problem is the use of a miner without user’s permission. Here’s the issue, and to protect users, security softwares prefer to prevent any use of the script. But rather than saying to the user something like: “Hey, there is a script on this site which seems bad. You should ask to a specialist a confirmation.” or doing a strong analysis of website performances, they prefer to block the whole site and flag it as malicious. And the simple user is now affraid.
If you want to take a look at Coinhive script, here’s the exact version used by Affinitweet.com but formatted by Chrome: https://gist.github.com/AamuLumi/d47a600b1f30d1df47bb78e28192d5ea
II : The ugly
The next step in this story is the famous “independant security researcher”. This is the 11th February. Let’s talk about this:
Yeah. This guy is saying the opposite of what we proved. I took a look at the account, and it seems this guy is specialized in #cryptojacking and cie. And he pretends to be a “Security Researcher” on his website. So he’s a researcher and he cannot read some lines of source code? What kind of researcher is that guy?
I tried to explain why he was in fault and why his information was bad. If you’re interested in the discussion, it’s here: https://twitter.com/bad_packets/status/962630647624876033. And yes, this dude said that Coinhive is a malware because he made a poll. True scientist here.
Personally, I consider that guy just to be an investigation journalist. He does some searches and tracks some exploits. But he’s not a researcher:
It can be just a little difference, but what is the better in your mind between a researcher and a journalist?
I write about this because this kind of accounts have an amazing power on media. Just because they are or pretend to be “researchers”. Do you think I want any part of my work on the web can be destruct by a “researcher” account like this?
III : Twitter
I woke up this morning (13th February), and I saw that:
Do you see the important words? “suspended by Twitter”. We are speaking of the social network famous for not banning accounts who uttered death threats and sexually harassed people. I suppose this is due to a mass report for cryptomining, but do you understand where is the problem? We are at the 3rd step.
(I stop here. I don’t currently have the follow-up of this story.)
I’m tired of this story, because this is a typical case where social networks do a bad job. They propagate bad information because nobody take the time to check what is happening. And some of the people who seem to be “experts” just do the same thing.
As a CTO, this is the kind of horror stories I fear: you must try to explain that you aren’t doing something bad to everyone , but no one cares. People believe what they want to believe and you cannot do anything. And accounts of “experts” produce the worst job they can ever do.
I know that IT Security is not full of this kind of people. I know this is an isolated case. But, please guys, let’s take the time to do some good work and stop propagate fake news. Let’s propagate some true news.
Note: thanks to Jean B. and Pierre-Henri for correcting the entire article.
