BrowseAloud
BrowseAloud is assistive technology software that adds text-to-speech functionality to websites.[1] It is designed by Texthelp Ltd, a Northern Ireland–based company that specialises in the design of assistive technology. BrowseAloud adds speech and reading support tools to online content to extend the reach of websites for people who require reading support. The JavaScript-based[2] tool adds a floating toolbar to the web page being visited. The service is paid for by the website's publisher; and is free to website visitors.[3]
BrowseAloud has been used in the United Kingdom by local councils,[4] and parts of the National Health Service.[5] The software won a New Statesman New Media Award in 2004.[6]
Controversies
BrowseAloud has been criticised by technologists for the need to use a mouse to select text before BrowseAloud would read it.[7] This required vision and motor skills to use, making BrowseAloud inaccessible to groups that could use other screen readers, such as JAWS. Commentators have noted that BrowseAloud is not a substitute for such tools.[3][8]
Malware
On 11 February 2018, a Sunday, over 4,200 BrowseAloud customers (some sources said over 5,000[9][10]) had their websites infected with Coinhive code after BrowseAloud, hosted on Amazon Web Services,[11] was hacked.[2] Although Coinhive—which generates Monero, a form of cryptocurrency—has legitimate uses,[12] the insertion of it in the manner in the attack was described as "malicious" by The Register's Editor in Chief Chris Williams;[2] and as "malware" by Taylor Hatmaker, in TechCrunch.[13]
The BrowseAloud service was disabled by Texthelp, to allow their engineers to investigate the security breach and remove the malicious code. The Register estimated that the code was active in BroswseAloud for up to thirteen hours.[2] It used visitors' computers to perform computationally-intensive calculations,[13][14] potentially slowing their computer's performance and its reducing battery life or consuming their electricity.[14] The National Cyber Security Centre referred to such activity as "illegal".[9][14]
Among the customers whose websites were affected were the UK's Information Commissioner[2][15][16] (who shut down their website as a precaution[11]), the Administrative Office of the U.S. Courts,[17] and the governments of the Australian states of Victoria and Queensland.[18][19]
The issue was detected by Scott Helme, a UK-based information security consultant.[2] Hatmaker and Boyd each pointed out that the vulnerability used in the attack could have been used to steal visitors' personal information.[13] Both Helme and the NCSC recommended that website developers use subresource integrity as a defence against such attacks.[14]
The attack was estimated to have only earned the attackers the equivalent of $24 in the Monero cryptocurrency.[20] Some commentators, such as Chris Boyd of Malwarebytes, suggested that the attack was relatively mild, as the attackers could have been testing a method for future use.[11]
References
- "Text-To-Speech – Software Comparison - Digital Accessibility Centre (DAC)". www.digitalaccessibilitycentre.org. Archived from the original on 21 February 2018. Retrieved 20 February 2018.
- Williams, Chris (11 February 2018). "UK ICO, USCourts.gov... Thousands of websites hijacked by hidden crypto-mining code after popular plugin pwned". The Register. Retrieved 19 February 2018.
- "Accessibility". Association of Voluntary Service Managers. Retrieved 19 February 2018.
Browsealoud... is not designed to be a substitute for a full screen reader program such as Window Eyes or Jaws.
- Public Technology
- Morpeth Harold
- "New Media Awards 2004". New Statesman. Archived from the original on 4 February 2012.
- Paul Liversidge (26 May 2004). "Browsealoud opinions sought". Newsgroup: comp.infosystems.www.authoring.html.
- Groves, Karl (19 April 2012). "Can Assistive Technology Make a Website Accessible?". Retrieved 19 February 2018.
People who require text-to-speech in order to gain access to content will need it on all websites and, indeed, on all software applications they use, not just their browser.
- Greenfield, Patrick (11 February 2018). "Government websites hit by cryptocurrency mining malware". The Guardian. Retrieved 19 February 2018.
- Stylianou, Nick (15 February 2018). "UK Government website offline after hack infects thousands more worldwide". Sky News. Retrieved 19 February 2018.
- Burgess, Matt (12 February 2018). "UK government websites were caught cryptomining. But it could have been a lot worse". Wired UK. Retrieved 19 February 2018.
- Ashford, Warwick (12 February 2018). "Criminals hijack government sites to mine cryptocurrency used to hide wealth". ComputerWeekly.com. Retrieved 19 February 2018.
- Hatmaker, Taylor (12 February 2018). "Cryptocurrency-mining malware put UK and US government machines to work". TechCrunch. Retrieved 19 February 2018.
- "NCSC advice: Malicious software used to illegally mine cryptocurrency". National Cyber Security Centre. Retrieved 19 February 2018.
The NCSC is aware of a compromise of the third-party JavaScript library 'Browsealoud' which happened on 11 February 2018. During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers.
- "U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked". BleepingComputer. Retrieved 20 February 2018.
- "4K+ Websites Infected with Crypto-Miner after Tech Provider Hacked". The State of Security. 12 February 2018. Retrieved 20 February 2018.
- Otto, Greg (12 February 2018). "Cryptomining scheme ropes in dozens of government websites - CyberScoop". Cyberscoop. Retrieved 19 February 2018.
- Meyer, David (12 February 2018). "How the U.S. Courts Website Unwittingly Became a Cryptocurrency Miner". Fortune. Retrieved 19 February 2018.
- "Cryptomining script poisons government websites – What to do". Naked Security. 12 February 2018. Retrieved 20 February 2018.
- Hern, Alex (14 February 2018). "Huge cryptojacking campaign earns just $24 for hackers". The Guardian. Retrieved 19 February 2018.