BrowseAloud is assistive technology software that adds text-to-speech functionality to websites.[1] It is designed by Texthelp Ltd, a Northern Ireland–based company that specialises in the design of assistive technology. BrowseAloud adds speech and reading support tools to online content to extend the reach of websites for people who require reading support. The JavaScript-based[2] tool adds a floating toolbar to the web page being visited. The service is paid for by the website's publisher; and is free to website visitors.[3]
BrowseAloud has been criticised by technologists for the need to use a mouse to select text before BrowseAloud would read it.[7] This required vision and motor skills to use, making BrowseAloud inaccessible to groups that could use other screen readers, such as JAWS. Commentators have noted that BrowseAloud is not a substitute for such tools.[3][8]
Malware
On 11 February 2018, a Sunday, over 4,200 BrowseAloud customers (some sources said over 5,000[9][10]) had their websites infected with Coinhive code after BrowseAloud, hosted on Amazon Web Services,[11] was hacked.[2] Although Coinhive—which generates Monero, a form of cryptocurrency—has legitimate uses,[12] the insertion of it in the manner in the attack was described as "malicious" by The Register's Editor in Chief Chris Williams;[2] and as "malware" by Taylor Hatmaker, in TechCrunch.[13]
The BrowseAloud service was disabled by Texthelp, to allow their engineers to investigate the security breach and remove the malicious code. The Register estimated that the code was active in BroswseAloud for up to thirteen hours.[2] It used visitors' computers to perform computationally-intensive calculations,[13][14] potentially slowing their computer's performance and its reducing battery life or consuming their electricity.[14] The National Cyber Security Centre referred to such activity as "illegal".[9][14]
Among the customers whose websites were affected were the UK's Information Commissioner[2][15][16] (who shut down their website as a precaution[11]), the Administrative Office of the U.S. Courts,[17] and the governments of the Australian states of Victoria and Queensland.[18][19]
The issue was detected by Scott Helme, a UK-based information security consultant.[2] Hatmaker and Boyd each pointed out that the vulnerability used in the attack could have been used to steal visitors' personal information.[13] Both Helme and the NCSC recommended that website developers use subresource integrity as a defence against such attacks.[14]
The attack was estimated to have only earned the attackers the equivalent of $24 in the Monero cryptocurrency.[20] Some commentators, such as Chris Boyd of Malwarebytes, suggested that the attack was relatively mild, as the attackers could have been testing a method for future use.[11]
^ ab"Accessibility". Association of Voluntary Service Managers. Retrieved 19 February 2018. Browsealoud... is not designed to be a substitute for a full screen reader program such as Window Eyes or Jaws.
^Groves, Karl (19 April 2012). "Can Assistive Technology Make a Website Accessible?". Retrieved 19 February 2018. People who require text-to-speech in order to gain access to content will need it on all websites and, indeed, on all software applications they use, not just their browser.
^ abcd"NCSC advice: Malicious software used to illegally mine cryptocurrency". National Cyber Security Centre. Retrieved 19 February 2018. The NCSC is aware of a compromise of the third-party JavaScript library 'Browsealoud' which happened on 11 February 2018. During the compromise, anyone who visited a website with the Browsealoud library embedded inadvertently ran mining code on their computer, helping to generate money for the attackers.
