Hacker News new | ask | show | jobs
by kevan 2872 days ago
They can't take over your server but they can inject a script tag with a cryptominer for all of your users to run. It's not the end of the world because you're just out a few dollars in electricity but it would be embarrassing.
4 comments
h1d 2872 days ago
Your reputation will be out of the window if you ran a crypto miner without notice and even if you get rid of it saying it was "hacked", people will hardly believe it.
link
siddhant 2872 days ago
If they can inject something like that in the output, they can also do something funky on your dev machine. Which means I shouldn’t be installing any npm package.
link
Walkman 2872 days ago
You are correct! :D
link
savanaly 2872 days ago
I think what he was trying to say was that if you knew for a fact yesterday that your static site didn't have malicious code on it, then you know it for a fact today, assuming you didn't rebuild the site in the interim. You can't say the same for dependencies on, say, a web server, since the web server may have rebooted and did an install or whatever overnight.
link
salty_biscuits 2872 days ago
Stupid question, does anyone do this on purpose? (i.e. With the consent of the client side). In a way it seems like a good way to make income for content (say a blog post) rather than all the ad profiling nonsense that goes on now.
link
filleokus 2872 days ago
I noticed that the nazi/terror/nationalistic organisation Nordic Resistance Movement uses https://coinhive.com, since they probably can't use ads. Coinhive apparently takes a 30% cut, and on my 2014 15" MBP I get a hashrate of around 50 / second. Some napkin math:

  ((50 hashes / s * 100000 vistors * 5 minutes)) / average hashes per block[0]) * block reward [1] * 0.7 ≈ 70 USD cents.
  [0]: 54272216853
  [1]: 4.11 XMR, 1 XMR ≈ 90 USD
So for spinning the fans for 10 0000 people for 5 minutes while they reads your blog post, you get 0.7 USD.
link
salty_biscuits 2872 days ago
Thanks! That is strangely fascinating. So I am guessing your average laptop runs at about 20 watts so 20 x 10000 x 5/60 = 16.67kwh So depending on where you live you might pay 0.3$/kwh so 70 cents for about 5 dollars worth of electricity. So only makes sense if you can keep a lot of people on your page for a very long time...
link
krapp 2872 days ago
I would be surprised if a javascript cryptominer was productive enough to even be worth the effort.
link
salty_biscuits 2872 days ago
I'm completely naive about such things, what sort of productivity is it in say $/hr/core
link