Thousands of websites including ones run by the U.S. and U.K. governments secretly hijacked browsers to mine cryptocurrency thanks to a compromised plugin, the Register reported on Sunday.
According to the Register, all of the afflicted websites ran British tech company Texthelp’s Browsealoud plugin, which reads out websites for people with visual impairments like full or partial blindness or conditions like dyslexia. It’s unknown at this time whether the someone external to the company was able to compromise the plugin or an insider decided to hijack it for fun and profit, but the list of websites is pretty extensive:
A list of 4,200-plus affected websites can be found here: they include The City University of New York (cuny.edu), Uncle Sam’s court information portal (uscourts.gov), Lund University (lu.se), the UK’s Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner’s Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), plus a shedload of other .gov.uk and .gov.au sites, UK NHS services, and other organizations across the globe.
Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.
The price of XMR, Monero’s token, peaked at nearly $500 earlier this month but has since fallen back down to around $240, according to sites which track the prices of cryptocurrency.
“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline,” Texthelp chief technology officer Martin McKay said in a statement. The company added that “This was a criminal act and a thorough investigation is currently underway” by an independent security company.