Click to Skip Ad
Closing in...

Showtime websites had hidden cryptocurrency miner, using visitors’ CPUs

Published Sep 26th, 2017 8:00PM EDT
BGR

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Showtime is a huge entertainment brand, with a ton of original programming, Hollywood movies, and even a slice of the sports pie thanks to its boxing promotions. With all that business, it’s hard to imagine the company would have to resort to a secret revenue source, but it seems that’s a very real possibility. Some sharp-eyed internet sleuths recently revealed that Showtime’s websites showtime.com and showtimeanytime.com had a cryptocurrency miner tucked away in their source code.

The miner, which is similar to the one recently used by The Pirate Bay, is built on Javascript and designed to function as an alternative to banner ads. Visitors computers lend a portion of their processing power to the miner while on the webpage, that power helps generate revenue for the site, and the user rarely has any idea. The Pirate Bay ended up apologizing for using it without first warning its users, and promised that it was only a test.

The idea of using a discrete coin miner to offset the costs of running a website isn’t a terrible idea, but it’s hard to imagine a massive brand like the CBS-owned Showtime needing to do so, especially on its own streaming websites. If you’re watching Showtime online from the official source, you already have to be a subscriber, which means you’re paying for the service outright.

Although neither CBS nor Showtime has come forward with a statement explaining how the coin miner ended up on its site, it has since been removed. That would suggest that either the software was placed there with the intent of mining some cash in the background, or (much more likely) it was hidden there without the knowledge of the company.

If the latter is true, it’ll be interesting to hear how someone snuck code into the sites without anyone knowing, and if it is linked to any other Javascript vulnerabilities.