13

"Bitcoin Plus" is one example of a javascript bitcoin mining client that can CPU mine bitcoins through a browser when viewing a website. Here is a screenshot from 4bitcoins dot com which automatically starts the miner when you load the page: Bitcoin Plus running on 4bitcoins dot com

It could be considered a form of theft for a website to profit from the extra electricity used by a viewer of the page, and definitely isn't environmentally friendly as CPU mining through javascript is hugely inefficient and any revenue earned doesn't even come close to covering the cost of the electricity consumed (and besides, in this case the benefit is to the website, and the cost is to the user).

Doing some quick maths I'd estimate that the mining would earn the website owner around 0.12 US cents per 24hrs running, at a cost of around 17 cents to the user in power (assumed 1BTC=$5US, difficulty around 1.8m, power 14c/kWh).

In short, it's desirable to block such functionality from running without the user's consent.

How could such integrated mining be disabled without blanket-disabling javascript on all websites? Bear in mind that even though the miner is visible on 4bitcoins dot com, it doesn't need to be visible to work.

ps: I didn't use standard syntax for the website name, as that will only encourage search engines to send more traffic there!

Murch
  • 71,155
  • 33
  • 180
  • 600
Highly Irregular
  • 10,910
  • 6
  • 52
  • 102
  • The JS doesnt actually mine Bitcoins. It's just for research purposes. – Mascarpone Oct 05 '11 at 12:27
  • 3
    I wouldn't accuse JavaScript miners of theft. Flash ads use a fair amount of CPU to display the wares of advertisers, and far more bandwidth than mining. If this is theft then so is all advertising of any kind, rickrolling or any unwanted use of any of your computing resources. I would reword the question to that end. You retain the right to control what does and does not run on your computer, but you can't accuse these folks of a crime. – David Perry Oct 05 '11 at 23:07
  • Actually, the "What's this?" link says: "Your computer fan turned on because generating bitcoin takes computer power. It's essentially generating money to help support the website you came from." That doesn't sound like research to me. – Highly Irregular Oct 05 '11 at 23:41
  • Whether or not it might be considered a theft comes down to legality; it's probably legal, but that doesn't make it ethical. I will reword it to allow users to decide for themselves. I also believe that the majority of users don't have the skills to take control of their computer to prevent use of a loophole like that - most people wouldn't allow it if they knew the details. – Highly Irregular Oct 05 '11 at 23:45
  • I also disagree that it's similar to most Flash advertising. As an experiment I viewed a page with 3 embedded typical Flash ads, and the CPU usage was around 4% compared to 80% for the miner application. – Highly Irregular Oct 05 '11 at 23:50
  • I repeat what I said: Even though the JS perform hashes, no actual coin is generated. – Mascarpone Oct 06 '11 at 01:36
  • 2
    Can you provide some evidence please? – Highly Irregular Oct 06 '11 at 08:41
  • 2
    https://bitcointalk.org/index.php?topic=9042.0 --- After a more careful reading, I think I have to apologize. Probably I confused this project with the original http://bitp.it/ – Mascarpone Oct 06 '11 at 12:38
  • I have to wonder whether you wasted more electricity asking this question than all the JS hashing in the world combined. Also, like David Perry said, it's really nothing compared to Flash... – JamesTheAwesomeDude Apr 01 '13 at 08:26

6 Answers6

12

You can use Adblock Plus to block the miner script. In this case it would be:

http://www.bitcoinplus.com/js/miner.js
Chris Acheson
  • 1,833
  • 13
  • 17
  • 2
    I asked for some clarification in the Adblock Plus forums as to whether blocking javascript miners would ever be likely to be done by default, and the answer was no. https://adblockplus.org/forum/viewtopic.php?f=2&t=8466 – Highly Irregular Oct 06 '11 at 08:39
6

You would need some kind of browser plug-in that monitors the CPU consumption of JavaScript and alerts you if you see excessive usage for an extended period of time.

David Schwartz
  • 51,308
  • 6
  • 106
  • 177
  • 2
    Very good idea. Even better would be integrating it into an existing popular extension like say adblock plus having an option to "warn against high CPU code which may be malicious". – DeathAndTaxes Oct 05 '11 at 05:38
  • I agree. I did some searches to find some examples of such plug-ins, expecting to find them easily, and was quite surprised that I couldn't find any. If nothing else, they're useful for making sure your own JavaScript doesn't spin out. – David Schwartz Oct 05 '11 at 11:49
  • For how JavaScript is handled memory-wise it is very difficult to profile it. In a real situation your readings will be most definitively tainted by a lot of noise. – Mascarpone Oct 05 '11 at 12:26
4

It isn't really theft if you're broadcasting your availability to run javascripts. There are blockers that allow you to selectively block javascript files - check your browser's extensions (Chrome and FF both have many options).

Alex Waters
  • 3,171
  • 2
  • 24
  • 39
  • Does a browser really "broadcast" that it will run javascript, or does it just respond to a custom-written request which allows the server to detect a response? In my view, automatic CPU mining isn't very different to the trojan viruses that run a miner on your PC - you just need to have the website page open for the javascript version (and your PC isn't infected). Maybe such websites will start to be blacklisted as malicious? – Highly Irregular Oct 05 '11 at 09:23
  • 3
    Yes, you broadcast your willingness to use JS with the user agent... – Mascarpone Oct 05 '11 at 12:17
2

Using a selective JavaScript blocker is basic good practice from a system security point of view, and will prevent websites from using your CPU to mine for bitcoins.

  • The NoScript Firefox extension allows you to disable JavaScript on a per-site or per-page basis. I like to set it to default to denying JavaScript on every page, and then add an exception for each page on which I want to allow JavaScript to run.

  • If you're using Chromium or Chrome then there's a built in Javascript blocker. Go to the 'wrench' menu, select "Preferences", then "Under the bonnet" (or 'hood' if you speak American?) then click "Content Settings" in the "Privacy" section and select "Do not allow any site to run JavaScript". Then whenever you're on a site which needs JavaScript to run, you'll see a red X at the right hand end of the address bar which you can click to allow JavaScript on just that site.

  • If you're using Internet Explorer you're probably not too concerned about what random strangers run on your computer. Enjoy.

Chris Moore
  • 14,745
  • 6
  • 65
  • 87
  • From memory, I think there is also a "YesScript" Firefox extension which by default allows you to turn on scripts on just the pages you want. – Highly Irregular Feb 13 '12 at 18:59
0

For the latest browsers, I would suggest implementing CSP(Content Security Policy), specifically defining the script-src

This will work if you own the site and CSP will prevent it from being XSS with bitcoin javascript.

Kok Wai Wong
  • 9
  • 2
-1

Browsers could limit the amount of CPU capacity a website is allowed to use to something as low as 1 %.

user3284699
  • 1