Google extension found using users’ CPUs to mine cryptocurrency

01 Jan 2018

Leading internet browser Google has taken down a Chrome browser extension with over 105,000 users, which was reported to be secretly mining cryptocurrency using the CPU power of users.

A popular extension, Archive Poster, which allowed Tumblr users to "reblog, queue, draft, and like posts right from another blog's archive" was reportedly hijacking the CPUs of over 105,000 users to secretly mine cryptocurrency Monero.

Users in the review section of the extension had blasted the inclusion of the infamous Coinhive in-browser miner's JavaScript code in the extension. Coinhive is the same miner which was used by The Pirate Bay to mine cryptocurrency using users' CPUs.

The extension did not ask for any permission from the users to run the code and kept mining the cryptocurrency as long as the browser was open. Such processes are popularly known as cryptojacking. A user has no way to turn this off but to uninstall the extension or close the website executing the process.

The extension was developed by qplus.io.

Incidentally, after the extension was taken down, another extension '[SAFE] Archive Poster' has cropped up. Offered by 'Archive Poster', the extension does not provide any screenshot of how it works. The reliability of the extension is questionable.

Computing power is essential for mining cryptocurrencies as a miner's computer has to solve complex mathematical calculations to mine a cryptocurrency such as bitcoin, ripple, and ether.

Over the spring and summer, Chrome extension developers have been under a barrage of phishing attacks, according to Bleeping Computer. Miscreants were trying to take over extensions, adding adware code and pushing a tainted update to the extension's userbase when successful.

Some of these phishing attacks were successful, and several cases were reported when high-profile extensions with large user bases were hijacked to push adware.

The company behind Archive Poster does not have a contact method listed on its website, so it was not possible to confirm this was intentional or another case of a hijacked extension.