One of the sites hijacked to mine cryptocurrency in the recent script-replacement hack was the website of the Swedish Police Force. This merits a more discussion; a lot more.
As reported by The Register and many others, the BrowseAloud script was hijacked server-side to mine the Monero cryptocurrency on the computers on all visitors.
It’s a seemingly simple hack: hijack something that a lot of websites include, and you’ve got code running on the computers of the visitors to all those websites. It might not be code that can access their file system, but number-crunching can be profitable enough, it seems. (In a sure disappointment, this particular hack seems to have netted the intruders only about $25.) Regardless, it presents a huge security hole and an enormous attack vector to millions of computers, as evident from this event.
And it is this security hole which becomes interesting when you take into account that the websites of major authorities were hacked by a simple server-side include script replacement.
It is not sophisticated at all. It is as lame as replacing an image file that has been hotlinked from another site just to make that site look bad. It can be funny, but D-level in terms of sophistication.
Even so, the low degree of sophistication is all the more reason to be aware of the attack vector.
Remember now, it is a Police Force that allowed their website to be hijacked by this simple attack vector. The authority assigned to serve and protect. More specifically, the authority that argues that wiretapping is totally safe because the Police is competent in IT security matters, so there’s no risk whatsoever your data will leak or be mishandled.
This is one of the websites that were trivially hacked.
It gives pause for thought.
It also tells you what you already knew: authorities can’t even keep their own dirtiest laundry under wraps, so the notion that they’re capable or even willing to protect your sensitive data is hogwash of the highest order.
Oh, did I mention it’s not just about citizen security, but also national security? Yeah, the Swedish Defense Equipment Authority (Försvarets Materielverk) was also on the list of hacked websites through this simple script replacement hack.
Privacy remains your own responsibility.