[lost_my_pwd]

"But according to Troy Mursch, a security expert who spends much of his time tracking Coinhive and other instances of “cryptojacking,” killing the key doesn’t do anything to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key is invalidated, Mursch said, Coinhive keeps 100 percent of the cryptocurrency mined by sites tied to that account from then on."

This is where I think Coinhive ethically crosses the line; perhaps legally, too. The mining scripts should stop when contacting Coinhive and determining that the specified key/ID has been disabled due to complaints or fraud.

[mtve]

Just to continue the quote from the article:

Reached for comment about this apparent conflict of interest, Coinhive replied with a highly technical response, claiming the organization is working on a fix to correct that conflict.

“We have developed Coinhive under the assumption that site keys are immutable,” Coinhive wrote in an email to KrebsOnSecurity. “This is evident by the fact that a site key can not be deleted by a user. This assumption greatly simplified our initial development. We can cache site keys on our WebSocket servers instead of reloading them from the database for every new client. We’re working on a mechanism [to] propagate the invalidation of a key to our WebSocket servers.”

[calibas]

Meaning they'll "fix" it when they're forced to, but in the meantime they'll make a nice profit off the "broken" code.

[beiller]

I have also tried making a coinhive clone. Sparechange. We fully investigate any complaints and ban API keys immediately after investigation. The only reason to keep mining with a known bad key is greed.

also edit - we are working on a way for site owners to validate their site via a DNS entry or something, and only allow keys to mine on validated sites. We want to make this space less scummy!

[berkes]

Thanks for plugging here. I researched the space for an article (featured on HN frontpage) a few months ago, but did not come across SpareChange. Back then I found coinhive to be the "only properly implemented authed" system, so I used that as an example. I'll wait how CoinHive comes out of this sh*tstorm and decide if I'll change my example to yours instead.

Also good to see there is (i) more improvement possible, (ii) ongoing investigation and (iii) competition in this space. Keep it strong, ignore the haters.

[duskwuff]

They also need to take more effective steps to allow them to claw back coins which were mined by bad actors. IIRC, they currently rake funds every few hours, allowing those bad actors to get away with most of the coins they mine before they get caught.

[smokeyj]

You could just point the miner at another pool and keep 100% of the shares. Cutting out CoinHive is trivially simple.

I really don't get the problem though. Someone's website is hacked and points to coinhive, and we want coinhive to fix it? This is why we can't have nice things.

[s73v3r_]

We want Coinhive to not benefit from it.

[smokeyj]

Browser mining is basically worthless. If they're running a pool then they have to pay server usage to validate low value shares. I'm not sure CoinHive is even economically viable.

Meanwhile, Google - the multi billion dollar public company, is the one distributing this script through online ads..