Mixed Mining Arts? UFC Website Removes Malicious Crypto Code
It's the latest large site seen to be running up site visitors CPU to crank out cryptocurrency.
A subscription streaming site owned by mixed martial-arts powerhouse Ultimate Fighting Championship (UFC) is at the center of the latest controversy around clandestine, browser-based cryptocurrency mining.
Multiple users on social media reported yesterday that code developed by Coinhive – a monero mining script that can be embedded in a web page – was found in the code on the UFC's Fight Pass streaming site. It's unclear at this time where the code was sourced from, and a customer support staffer for UFC told a user that "we take these matters very seriously, and will review this."
“Immediately upon learning of the reported issue, Neulion, UFC’s over-the-top digital service provider, reviewed the UFC.TV/FIGHTPASS site code and did not find any reference to the mentioned Coinhive java script," A UFC spokesperson wrote in a statement to CoinDesk, subsequent to publication. "We are continuing to review the available information and feel confident that there are no coding issues across the site at this time.”
But Reddit users contend they found lines of code for Coinhive's mining script in the HTML for the page, as shown in two different screengrabs shared to Imgur.
The software was also spotted running by several users, included one who later flagged it onon Twitter. After one reddit user emailed UFC support about it, he got a response saying that they were looking into it. The attention that the situation attracted appears to have spurred UFC to action, as the script was ultimately removed, according to another post.
None of the screencaptures on the Internet Archive from yesterday show the script in the source code on UFC.com, but the captures from yesterday were made after these reports started coming out.
The move represents the latest instance in which a well-known site played unwitting host to the Coinhive script, which utilizes a user's computer capacity to mine the privacy-oriented cryptocurrency monero.
Subsequent to publication, Coinhive emailed CoinDesk to say that since none of the screenshots included the site key, it couldn't give any information on how much had been mined or if it had happened. "For what it's worth, we didn't notice any new 'top user' in our internal site wide dashboard. So the miner was either removed quickly again or didn't affect a lot of endusers," the company wrote in a statement. "Just for the record, we have a strict policy against using our service on 'hacked' sites and will terminate accounts that violate our terms of service, as soon as we're notified of them."
A streaming service run by Showtime previously found Coinhive code running on its sites, and web security firm Cloudflare has expressed its intent to crack down on sites that add mining software to sites without first notifying users.
This story has been updated with comment from Coinhive and UFC.
STORY CONTINUES BELOW
Correction: A previous version of this article inaccurately stated that CoinDesk has been in contact with UFC.
UFC fighter Vitor Belfort via Shutterstock.