I would say probably yes but not got time to confirm 100% at the moment. If it’s script within the page, and it’s a script your browser understands (language wise, which I am sure Safari does) then yes, the script is running and your browser is doing what the code tells it to do.
Good shout about Brave. For those interested in not having their entire browsing habits monitored, recorded and used for marketing and God knows what else forever more… you could try replacing your default search engine from Google to StartPage or DuckDuckGo.
Browser plugins like Privacy Badger or UBlock Origin are handy for blocking a lot of crap too, not sure if they will work for this bitcoin script or not but they tend to pick up most spurious calls and activity which you probably don’t want just from visting a webpage.
Yes, that will definitely do the trick… if the “trick” is to screw up the way all websites work on your browser. I would suggest the best option is to fix websites before asking users to ruin their browser’s functionality for the sake of one site. But that’s just me. Nearly all websites use JS in their pages and need to in order to function normally. Maybe the real trick would be to turn the computer off, oh, no wait a sec… (baby…bathwater…)
The Firefox and Chrome addons I linked to above will also stop many other sites from functioning normally. But the settings can be customised and remembered for each regularly visited site. The Brave browser appears the easiest to use, but I had some problems before where a website did not work in Brave, and I could not figure out how to change that.
Using the Brave browser and comparing background activity to Chrome and I.E. on several sites, I found that Swaylocks is not the only one with background activity running even when I am just sitting ‘idle’ on homepage. I don’t know if it is the same activity present on Swaylocks but the CPU column shows a number similar to what I was getting on Sways. The Brave browser really seems to help eliminate it all. I get a ‘stat’ report saying how many tracking sites, etc it has blocked. I’m sold.
I guess this is why (even though they are not perfect); I Love Apple so much. I had a laptop that was not IPad or IPhone that I used to use for Sways and it is so mucked up with stuff it picked up from this site that it is no longer usable. Also had a desk top that got a virus from Sways and crashed—- Permanently. I have Wi-Fi up here in the woods now so I am able to access Sways at home. We never do Sways on the new desk top so it is still alive and well. Got rid of AT&T Direct TV and their poor service tech contractor. Switched to Dish, got a router and all is well.
Privacy Badger and Ublock Origin (and WebRTC) and FlashBlock Plus and Ad Block Plus will kill just about everything and anything, it will also make most websites a pain in the ass to use! I have several browsers, I use one for totally clean and green surfing, testing websites and stuff like that where I want to be like any normal user. I have another one with all the above plugins installed, for when visiting a site I do not want to track me, or when switching Google accounts for testing reasons where I need to be anonymous to their trackers.
Brave will probably be an easier way of doing all of that, so that gets an upvote from me too, as does Tor browsers but another one worth mentioning is Waterfox - It’s firefox without most the crap. Worth a look along the same lines as Brave. I tried both and prefer Waterfox but I was used to Firefox so it was probably just a familiarity thing.
Oki-doki – all set. Some malicious person had inserted that snippet of code in a block of the site typically only accessible by administrators. Totally unclear how they did that.
On Drupal, which swaylock’s is based on (and all open source web platforms for that matter), web security is a never ending arms race where the perps take a step forward and we react. New vulnerabilities are discovered and patches are issued by the community. The best I can do is make sure we always have the latest security patches applied.
As far as swaylock’s being “loaded with viruses” – I seriously doubt that. I run the site on a very widely used software (meaning lots of eyeballs on security vulnerabilities) and I keep it updated with securty patches. I don’t know of anyway a website can “infect” your computer, unless you accept some sort of prompt to download something. I could be wrong there – but I don’t think so. I addition most modern browsers will warn you if a website seems malicious, and noone has reported anything here.
I for one have been browsing Swaylock’s since the beginning and this episode is the first time (to my memory) some sort of “hacker effect” has taken place. Bugs and problems get reported quickly by the large Swaylock’s user base (3000+ visitors a day). This is the first time I can remember that such a “virus” was even reported by the community. All of this supports my sense that Swaylock’s is a perfectly safe site to browse.
“I don’t know of anyway a website can “infect” your computer, unless you accept some sort of prompt to download something.” - Agreed. The only comment I would add is that some people have their browsers set to being less secure than others, or maybe to auto download things without prompting etc. But that’s their can to carry. Sways isn’t loaded with viruses, one script which was inserted isn’t a virus, and its gone now anyway. thanks again
lots of eyeballs is a double edge sword in my opinion.
Widely used software is targeted much more often, on my server I see lots of attempts get into wordpress and drupal admin panels, while I’m not running any of those at all.
So when using widely used systems it is crucial to update them as soon as a patch comes out and even then you might be late and things like this might have happened, depending on how fast patches are made and distributed.
Less adopted systems are often easier to hack into. However the amount of attempts is much lower as hackers do not spend time on targetting those systems. Unless your are targetted specificly of course.
The key to security is simplicity. Having a system that does just what you need and nothing more (e.g. having no admin interfaces through the browser), limiting the amount of attack surfaces is key. Unfortunately this requires very in depth knowledge of the underlying system.
About the injected code. I had it blocked using privacy badger, blocking the ethtrader.de domain.
You can probably report this incident to them, based on the script they can possibly block that user’s account. Not sure it’ll have much effect on them though.
Your doing a good job with this website Mike, this has been a very unfortunate event. And indeed I can’t remember anything like this around here.
But I guess these kind of attacks will get more frequent all over the web. A good cross domain blocker is an important tool for users of the modern web.