Issue Summary

An XSS exploit in our KaTeX parser was used to embed a JavaScript crypto miner in clients via an exploitative message.

The exploitative message was spread across 25 rooms and 146 users read those messages. The messages were available for about 1 hour (minutes after being reported) before being cleaned up across the board.

User Remediation Steps

To check if you are affected, open up the devtools(right-click on the page -> Inspect element) and search for <script src="https://coinhive.com/lib/coinhive.min.js"></script> in the “Elements”(Chrome)/”Inspector”(Firefox) panel. You can also check to see if you are running at 100% CPU usage as the miner likes to use every core available.

Refreshing the page is sufficient to stop the exploit but the tab will most likely hang and you will need to manually kill the tab via your browser or OS task manager to fully reload again.

If you are using the desktop app, it’s best to play it safe and kill the process.

Gitter Remediation Strategy

We've hot-patched our servers so the exploit no longer works and cleared out any messages that included the exploit.

In order to get affected users to take action, we have manually caused a refresh on clients which will blank out the page(will still be mining during this time) but will need a kill/refresh before being able to interact with Gitter again.

We will be creating a fix for gitterHQ/gitter-markdown-processor in the following days so it stays patched.

We apologize for this incident, and the resulting hardware misuse that occurred.

Update 2018-2-16: We patched up a related alternative XSS vector that someone was able to reproduce.

To report security issues with Gitter, please follow our responsible disclosure policy(Gitter was acquired by GitLab).