Pixel Envy

Written by Nick Heer.

A Third-Party Script Used by Government Websites Was Compromised to Mine Cryptocurrency

Scott Helme:

I had a friend of mine get in touch about his AV program throwing a warning when visiting the ICO website. The ICO bill themselves as:

The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

They’re the people we complain to when companies do bad things with our data. It was pretty alarming to realise that they were running a crypto miner on their site, their whole site, every single page.

At first the obvious thought is that the ICO were compromised so I immediately started digging into this after firing off a few emails to contact people who may be able to help me with disclosure. I quickly realised though that this script, whilst present on the ICO website, was not being hosted by the ICO, it was included by a 3rd party library they loaded.

Scary as it is, this is arguably relatively minor incident; imagine if it were a more malicious script — something like a keylogger. It would be wise for web developers reliant upon third-party scripts to treat them as though they will, at some point, carry malware.