CookieScript.info mining Monero on your website?! It’s true

We all like to stay in compliance with EU and US privacy regulations, and a lot of times we depend on 3rd party tools and libraries to do so. Enter cookiescript.info, a San Francisco organization which was one of the few who created an easy javascript and WordPress solution to display your regulatory cookie notice on your website. This is the same organization that as I remember, had a phase of harassing website owners about it for a short period of time and was personally bombarded by them for weeks about websites that were under development at the time (circa 2015).

On their website, they state “European and American laws require that digital publishers give visitors to their sites and apps information about their use of cookies and other forms of local storage. These laws also require that consent be obtained. A breach of these regulations can result in a fine of up to $500,000.”

But wait, what’s this?! By the title of this article, you may have guessed correctly. Their heavily distributed script hosted on their CDN was modified to secretly mine a cryptocurrency called Monero, without your consent, the irony. From the looks of it, it’s quite possible it was done by a security breach considering the way the script was modified to hide any possible identifying information such as a wallet address so they are not kicked from their pool. Pool operators typically can only ban a user based on wallet addresses since it is a top-notch privacy coin.

actively mining

the mining code

The malicious code has been noticed here:

https://cdn.cookiescript.info/libs/cookieconsent.5.min.js

And here:

https://cdn.cookiescript.info/libs/cookiescript.min.js

I reached out to cookiescript.info via email about the script that is mining without consent at 4:03 PM CST on 22 March 2018 and asked them if they were aware of this and if it was intentional, as of writing this article for future release no response or correction to their code has been made and continues to mine without consent on thousands of websites that use their code to stay in compliance with regulators. This article will be updated upon receipt of a response and/or when the script has been modified without the mining script attached.

[Disclosure: The author of this story owns small positions in and mines Monero ethically]