[Update Feb 15th] Was interviewed in the CBC about this.
[Update Feb 14th] Was quoted in The Record in Cambridge.
News broke yesterday of a widespread hack in which visitors to government websites around the world saw their web browsers hijacked into running the Coinhive Javascript for the purpose of mining Monero, and hundreds of Canadian websites were among those targeted.
Over 200 websites across Canada were affected, and ranged from municipalities, public libraries, school boards, public health organizations, with locales in Ontario, Quebec, BC, and the Northwest Territories.
The attack is known as cryptojacking, and is becoming an increasingly popular money making tool for hackers. When a user visits an affected website, their browser is sent a small Javascript program that causes it to perform intensive CPU operations to mine a cryptocurrency called Monero, without the user’s consent or knowledge.
Over the weekend, international cybersecurity researcher Scott Helme discovered that a web accessibility plugin called Browsealoud had been hijacked to deliver the mining script (via Coinhive). It has since been taken temporarily offline as the breach is investigated and the affected customers are contacted.
The list of sites loading the affected Browsealoud script includes numerous Canadian entries, including cities like Cambridge, Oshawa, Pickering, Yellowknife, as well as the Ottawa-Carlton District School Board, and even the Information and Privacy Commissioner of Ontario.
Implications for Online Voting
Although cryptojacking does not typically steal private information from its victims, it could be easily modified toward that goal, and this incident highlights how hacking a single website can lead to the compromise of thousands around the world, a worrying trend as numerous Ontario municipalities look to deploy online voting in the upcoming election in October.
In fact two of the cities affected by the Browsealoud hack with plans to roll out online voting are Cambridge, and Pickering. Instead of hijacking your browser to mine cryptocurrency, imagine it’s hijacked to steal your vote.
List of Canadian websites affected by the hack:
In total 207 websites in the .ca TLD were found serving the Browsealoud plugin. Canadian sites in the top 30 million include:
- Centre for Addition and Mental Health
- Ottawa-Carlton District School Board
- Information and Privacy Commissioner of Ontario
- City of Cambridge
- Burlington Public Library
- City of Oshawa
- City of Cambridge
- Town of Caledon
- Multiple Sclerosis Society of Canada
- Ontario Trillium Foundation
- L’environnement numérique d’apprentissage
- Fraser Valley Regional Library
- City of Yellowknife
- Huron County
Sources
- Dataset of sites using the Browsealoud plugin (CSV)
- Helme’s original blog post