Thousands of websites that use Texthelp’s Browsealoud software to add speech, reading, and translation to their pages were briefly compromised after hackers altered a piece of its code to include a crypto mining script.
A crypto mining script is a function that when placed on a website makes use of visitors’ central processing units (CPUs) to mine cryptocurrency. Cryptocurrencies are digital currencies in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds. The original and best known example is Bitcoin.
Websites that chose to use Browsealoud to facilitate access and participation for people with conditions such as dyslexia or mild visual impairments will have been compromised.
The presence of the crypto mining script came to light when Ian Thornton-Trump, a cyber security expert, received an alert while visiting the website of the UK’s Information Commissioner’s Office (ICO), which is responsible for data protection. The warning flagged up the presence of a crypto-miner on the ICO site.
As Thornton-Trump explained to the website The State of Security:
Helme, with the help of other security experts, traced the problem to the third-party add-on Browsealoud and identified over 4,000 potentially infected sites. They included a wide range of national and local government organisations.
Helme’s site explained:
If you want to load a crypto-miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the one website that they all load content from. In this case it turned out that Text Help, an assistive technology provider, had been compromised and one of their hosted script files changed.
He also added that that attack could have been neutralised with a tiny change to the way the ICO site and others loaded the script.
In a statement issued by Martin McKay, Texthelp’s CTO and Data Security Officer, the company acknowledged the attack, describing it as a ‘criminal act’. The statement says the company’s data security action plan was actioned straight away and was effective; the risk was mitigated for all customers within a period of four hours.
Texthelp has in place continuous automated security tests for Browsealoud — these tests detected the modified file and as a result the product was taken offline. This removed Browsealoud from all our customer sites immediately, addressing the security risk without our customers having to take any action.
McKay explained. The statement continued:
Texthelp can report that this attacker did not attempt to extort or ransom money from Texthelp or Texthelp customers. The company has examined the affected file thoroughly and can confirm that no customer data has been accessed or lost. The file used the computer’s CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday [11 February].
The Browsealoud service has been temporarily taken offline as a precautionary measure to all customers. The security breach has already been addressed, however Browsealoud will remain offline until Tuesday 13 February at 12:00 GMT. This is to allow time for Texthelp customers to learn about the issue and the company’s response plan.
This compromise has only impacted the Browsealoud service, no other Texthelp products have been affected in any way.
Phase One of our internal investigation is now complete and our customers have been notified. We are continuing to work with the National Crime Agency and the National Cyber Security Agency. An additional review will now be conducted by an independent security consultancy. The security of our products continues to be of the utmost priority for us, we are taking this very seriously and in light of this attack, we are strengthening our security systems further.’