Global cyber attack hit municipal website
Cambridge city website users affected
CAMBRIDGE — A worldwide cyberattack briefly hit the City of Cambridge website last weekend, the city confirms.
During a span of four hours and six minutes on Sunday morning, visitors to Cambridge.ca had their browsers covertly hijacked by cryptocurrency miners while the visitors remained on the website.
How many visitors? An estimated 474, the city says.
Their computers, as silently ordered by a devious secret script, then used their processing power to help hackers solve computational puzzles to create a cryptocurrency called Monero.
The computer owners, who were never asked for permission, had no clue.
The crypto-jacking ended when the user left the city web page or closed it. Still, a weak security link got exploited for the duration of each visit.
The culprit? A text-to-voice plug-in called Texthelp
Browsealoud, which is used on the city site to help the visually challenged.
Browsealoud got hacked. Therefore, the city website, and 4,200 other sites using the plug-in around the globe, had been violated too.
Thousands of sites, including the City of Cambridge’s, were compromised. Hundreds of computers — not mobile devices, they don’t have the power to pull off the crypto-deed — got quietly commandeered.
“There was no information stolen from the visitors’ devices,” said George Georgiadis, the city’s chief information officer, on Wednesday.
“At no point was there any attempt to access personal data on the user’s computer,” he added in an email.
That’s what the city is being assured by Browsealoud. No customer data was accessed or lost during the cyber-jacking, which began at 6:14 a.m.
The city says automated security tests by the city’s service provider, eSolutions, detected an issue. Browsealoud was removed from the website at 10:20 a.m.
“These type of incidents are not uncommon,” Georgiadis said.
“It hasn’t happened to us before. But this is not the first time, in theory, that hackers are trying to exploit some sort of vulnerability, in this case it was the Browsealoud vulnerability.”
Texthelp later took down its site while Browsealoud security was to be improved. The site was to remain off-line until Thursday.
“The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency,” read a statement posted online by Northern Ireland-based Texthelp.
“This was a criminal act and an investigation is currently underway.”
International security researcher Scott Helme, according to The Guardian, is credited with pointing out the security breach after a friend detected an issue after visiting a United Kingdom government website.
Thousands of sites, some operated by government agencies, were affected from Australia to Europe to Canada, according to a handful of tech news sources. Other Canadian sites, besides Cambridge.ca, are among them.
Oshawa, Pickering and Huron County have Browsealoud on their websites.
In Cambridge, as of Wednesday, it hadn’t been decided if Browsealoud would remain on the city website. That is still to be determined.
“I don’t think it’s really used that much,” city spokesperson Susanne Hiller said. “In fact, we were even questioning whether the tool was needed or not. But, obviously, for accessibility purposes, we want to have these tools available.”
The City of Kitchener doesn’t use Browsealoud on its website. The City of Waterloo removed Browsealoud from its site in early 2017.
“We used to have it on our website, but it was never used,” City of Waterloo spokesperson Janice Works said in an email on Wednesday. “The trend has been that individuals have their own technologies available to assist in reading web pages.”
In Cambridge, where online voting will be used for a second straight municipal election come October, the issue of cybersecurity is likely to be front-and-centre in the wake of the Browsealoud hack.
Last April, Essex spoke to Guelph city council about the security perils of online voting as that council rejected digital advance polls in 2018. Essex, an assistant professor in Western University’s computer engineering department, wants people to be aware of the limitations of cybersecurity in the online voting setting.
Georgiadis says Cambridge will use a qualified service provider, one used by a number of municipalities, to ensure secure online voting in October. Also, extra paper ballots will be ready in case the system crashes.
“Security is always a concern,” Georgiadis said. “The fears of a potential incident — the concern there is not of stolen information. It would be more the concern if something happens and the service is not available.”