Fixing coin mining scripts abuse on the Web
Recently, while surfing on my laptop, I noticed the fan suddenly starting making a lot of noise and, to my surprise, I saw in “Activity Monitor” that 3 Safari processes from 2 domains were loading 100% of my CPU units each! Upon inspection, those web pages were still fully interactive so I started digging further in order to understand what was going on “under the hood”.
Opening the browser console and forcing the JavaScript debugger to pause the JavaScript execution brought me to an obfuscated script that quickly turned out to be a coin mining script.
Nowadays, more and more websites hiddenly run those scripts without caring about their users’ devices status (for instance if it is running on battery) and the situation is quickly getting worse. Even if my laptop has 4 cores, those 3 tabs were consuming 3/4 of my available CPU power and my battery would have died in 30 min instead of hours. To make the situation worse, extensions offer little protection against these scripts because they can be concealed quite well (e.g. loaded from the same domain, with no 3rd party involved). This is why I’m calling for browser vendors to change their policies and ask users to explicitly grant websites permission to use Web Workers.
Users should grant permission to use the CPU
Web Workers started as a way for developers to offload resource intensive work off the main thread, so that a website could remaining interactive even during such work. Nowadays, however, the main use case for that API is abusing users CPU, causing their battery to die even faster.
As Web Workes are being abused, I think the technology should be put under user control. Browsers already do that for a number of web APIs: not only for notifications and audio/video access, but also for popup windows and storage APIs. Indeed, the user is able to customize how much storage a website is allowed to consume. Same should be for CPU consumption and workers: how many workers can a website spin off? And how much CPU can they use? Those parameters should be user controllable.
Get your CPU back today
As I said, extensions are still lagging behind as an effective way of blocking unwanted coin mining scripts. The solution I’m proposing is drastic but effective: disable Web Workers entirely. You can only do it on Firefox, but it quite simple: just got to “about:config”, search for dom.workers.enabled and change it to false. After this change mining scripts will just error out and you can go back surfing happily again.
I really hope the community and browsers vendor agree on a solution in order to only allow trusted scripts to continue using Web Workers while stopping abuse from “malicious” parties.
