BrowseAloud explained

BrowseAloud is assistive technology software that adds text-to-speech functionality to websites.[1] It is designed by Texthelp Ltd, a Northern Ireland–based company that specialises in the design of assistive technology. BrowseAloud adds speech and reading support tools to online content to extend the reach of websites for people who require reading support. The JavaScript-based tool adds a floating toolbar to the web page being visited. The service is paid for by the website's publisher; and is free to website visitors.[2]

BrowseAloud has been used in the United Kingdom by local councils,[3] and parts of the National Health Service.[4] The software won a New Statesman New Media Award in 2004.[5]

Controversies

BrowseAloud has been criticised by technologists for the need to use a mouse to select text before BrowseAloud would read it.[6] This required vision and motor skills to use, making BrowseAloud inaccessible to groups that could use other screen readers, such as JAWS. Commentators have noted that BrowseAloud is not a substitute for such tools.[7]

Malware

On 11 February 2018, a Sunday, over 4,200 BrowseAloud customers (some sources said over 5,000[8] [9]) had their websites infected with Coinhive code after BrowseAloud, hosted on Amazon Web Services,[10] was hacked.[11] Although Coinhive—which generates Monero, a form of cryptocurrency—has legitimate uses,[12] the insertion of it in the manner in the attack was described as "malicious" by The Registers Editor in Chief Chris Williams; and as "malware" by Taylor Hatmaker, in TechCrunch.

The BrowseAloud service was disabled by Texthelp, to allow their engineers to investigate the security breach and remove the malicious code. The Register estimated that the code was active in BroswseAloud for up to thirteen hours. It used visitors' computers to perform computationally-intensive calculations,[13] [14] potentially slowing their computer's performance and its reducing battery life or consuming their electricity. The National Cyber Security Centre referred to such activity as "illegal".

Among the customers whose websites were affected were the UK's Information Commissioner[15] [16] (who shut down their website as a precaution), the Administrative Office of the U.S. Courts,[17] and the governments of the Australian states of Victoria and Queensland.[18] [19]

The issue was detected by Scott Helme, a UK-based information security consultant. Hatmaker and Boyd each pointed out that the vulnerability used in the attack could have been used to steal visitors' personal information. Both Helme and the NCSC recommended that website developers use subresource integrity as a defence against such attacks.

The attack was estimated to have only earned the attackers the equivalent of $24 in the Monero cryptocurrency.[20] Some commentators, such as Chris Boyd of Malwarebytes, suggested that the attack was relatively mild, as the attackers could have been testing a method for future use.

Notes and References

  1. Web site: Text-To-Speech – Software Comparison - Digital Accessibility Centre (DAC). www.digitalaccessibilitycentre.org. en-gb. 2018-02-20. https://web.archive.org/web/20180221035558/http://www.digitalaccessibilitycentre.org/index.php/articles/61-text-to-speech. 21 February 2018. dead.
  2. Web site: Accessibility . Association of Voluntary Service Managers . 19 February 2018 . Browsealoud... is not designed to be a substitute for a full screen reader program such as Window Eyes or Jaws..
  3. http://www.publictechnology.net/modules.php?op=modload&name=News&file=article&sid=13070&mode=thread&order=0&thold=0 Public Technology
  4. https://archive.today/20120905135619/http://www.morpethherald.co.uk/news/Northumberland-health--now-you.5238884.jp Morpeth Harold
  5. Web site: New Media Awards 2004 . . https://web.archive.org/web/20120204223553/http://www.newstatesman.com/nma/nma2004/nma2004winners.htm . 2012-02-04.
  6. Browsealoud opinions sought . Paul Liversidge . comp.infosystems.www.authoring.html . 26 May 2004 .
  7. Web site: Groves . Karl . Can Assistive Technology Make a Website Accessible? . 19 February 2018 . 19 April 2012 . People who require text-to-speech in order to gain access to content will need it on all websites and, indeed, on all software applications they use, not just their browser. .
  8. Web site: Greenfield . Patrick . Government websites hit by cryptocurrency mining malware. The Guardian . 19 February 2018 . 11 February 2018.
  9. Web site: Stylianou . Nick . UK Government website offline after hack infects thousands more worldwide . Sky News . 19 February 2018 . 2018-02-15.
  10. Burgess . Matt . UK government websites were caught cryptomining. But it could have been a lot worse . Wired UK . 19 February 2018 . 2018-02-12.
  11. Web site: Williams. Chris. UK ICO, USCourts.gov... Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned. The Register. 19 February 2018. en. 2018-02-11.
  12. Web site: Ashford. Warwick. Criminals hijack government sites to mine cryptocurrency used to hide wealth. ComputerWeekly.com. 19 February 2018. 2018-02-12.
  13. Web site: Hatmaker . Taylor . Cryptocurrency-mining malware put UK and US government machines to work . TechCrunch . 19 February 2018 . 2018-02-12.
  14. Web site: NCSC advice: Malicious software used to illegally mine cryptocurrency . . 19 February 2018 . The NCSC is aware of a compromise of the third-party JavaScript library ‘Browsealoud’ which happened on 11 February 2018. During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers. .
  15. News: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked. BleepingComputer. 2018-02-20. en-us.
  16. News: 4K+ Websites Infected with Crypto-Miner after Tech Provider Hacked. 2018-02-12. The State of Security. 2018-02-20. en-US.
  17. Web site: Otto. Greg. Cryptomining scheme ropes in dozens of government websites - CyberScoop. Cyberscoop. 19 February 2018. 12 February 2018.
  18. Web site: Meyer. David. How the U.S. Courts Website Unwittingly Became a Cryptocurrency Miner. Fortune. 19 February 2018. en. 2018-02-12. 17 February 2018. https://web.archive.org/web/20180217053548/http://fortune.com/2018/02/12/us-courts-coinhive-monero-cryptocurrency-miner/. dead.
  19. News: Cryptomining script poisons government websites – What to do. 2018-02-12. Naked Security. 2018-02-20. en-US.
  20. Web site: Hern . Alex . Huge cryptojacking campaign earns just $24 for hackers . The Guardian . 19 February 2018 . 14 February 2018.