Hacking WiFi to inject cryptocurrency miner to HTML requests (CoffeeMiner)

I've thought about adding something like this to my guest wifi to mine some cryptocurrency - but quickly dismissed it as most guests would need to use a charger soon(ish) and thus using my electricity :P

I find it funny how, even after publishing this post, the author hasn't configured a http -> https redirect for his own site.

Excellent write up. That’s why we need SSL/TLS with HSTS. Pure HTTP, specially in public WiFi, is dead.

This is why it's important to always use a VPN when connecting to an untrusted wifi, such as a coffee shop or airport wifi. Either pay $3 /month to a provider or setup your own with something like pivpn.

Given the recently disclosed vulnerabilities, instead of a cryptocurrency miner, it could be a Spectre exploit trying to scan and exfiltrate data from the computer's memory. We might be now at the point where disabling all Javascript for non-HTTPS pages is a good default.

This is (one of the reasons) why we need https.

I guess all it takes is one request to a non-https site?

Interesting method, but yes; wouldn&#x27;t HTTPS mitigate this script from being injected? Trying to get awareness for my own original miner written from scratch <a href="https:&#x2F;&#x2F;www.sparechange.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.sparechange.io&#x2F;</a> Interesting learning WASM.

Some buildings (hostels and shared accomodations) have shared internet (secured with WPA2). This type of attack might be particularly profitable in such situations.

Does someone need to have control of the router to do this? Or how could it work otherwise?

(OT: petteralexander&#x27;s name shows a different color than other usernames. Why?)

Won&#x27;t modern browsers block this anyway?

Https everywhere extension fix it right?

This is great! Wow!