Hacker News new | ask | show | jobs
by dyeje 2872 days ago
But this is a static site generator. They can't take over your server if you're just serving up stuff from S3.
2 comments
kevan 2872 days ago
They can't take over your server but they can inject a script tag with a cryptominer for all of your users to run. It's not the end of the world because you're just out a few dollars in electricity but it would be embarrassing.
link
h1d 2872 days ago
Your reputation will be out of the window if you ran a crypto miner without notice and even if you get rid of it saying it was "hacked", people will hardly believe it.
link
siddhant 2872 days ago
If they can inject something like that in the output, they can also do something funky on your dev machine. Which means I shouldn’t be installing any npm package.
link
Walkman 2872 days ago
You are correct! :D
link
savanaly 2872 days ago
I think what he was trying to say was that if you knew for a fact yesterday that your static site didn't have malicious code on it, then you know it for a fact today, assuming you didn't rebuild the site in the interim. You can't say the same for dependencies on, say, a web server, since the web server may have rebooted and did an install or whatever overnight.
link
salty_biscuits 2872 days ago
Stupid question, does anyone do this on purpose? (i.e. With the consent of the client side). In a way it seems like a good way to make income for content (say a blog post) rather than all the ad profiling nonsense that goes on now.
link
filleokus 2871 days ago
I noticed that the nazi/terror/nationalistic organisation Nordic Resistance Movement uses https://coinhive.com, since they probably can't use ads. Coinhive apparently takes a 30% cut, and on my 2014 15" MBP I get a hashrate of around 50 / second. Some napkin math:

  ((50 hashes / s * 100000 vistors * 5 minutes)) / average hashes per block[0]) * block reward [1] * 0.7 ≈ 70 USD cents.
  [0]: 54272216853
  [1]: 4.11 XMR, 1 XMR ≈ 90 USD
So for spinning the fans for 10 0000 people for 5 minutes while they reads your blog post, you get 0.7 USD.
link
salty_biscuits 2871 days ago
Thanks! That is strangely fascinating. So I am guessing your average laptop runs at about 20 watts so 20 x 10000 x 5/60 = 16.67kwh So depending on where you live you might pay 0.3$/kwh so 70 cents for about 5 dollars worth of electricity. So only makes sense if you can keep a lot of people on your page for a very long time...
link
krapp 2872 days ago
I would be surprised if a javascript cryptominer was productive enough to even be worth the effort.
link
salty_biscuits 2872 days ago
I'm completely naive about such things, what sort of productivity is it in say $/hr/core
link
l_t 2872 days ago
True, but they can compromise the machine that runs VuePress (or at least, run arbitrary userlevel JS code on it).
link
ncphillips 2872 days ago
Wouldn’t this be the case for any node app? Why pick on VuePress specifically?
link
l_t 2872 days ago
The OP's comment was specifically with respect to the large number of dependencies, which can increase the "surface area" for this type of attack to happen. And, of course, we're talking about VuePress because this is a thread about VuePress. Similar complains are raised for many other Node libraries, so rest assured that VuePress is not alone in that regard.
link