What if you could set your computer to mine for cryptocurrency, in exchange for access to premium features from your productivity ? That was the thinking that spurred Qbix, developer of Calendar 2, to add a Monero mining system into its app. However, following a large backlash from the Mac community due to the idea not working so well in practice, the feature has been quickly removed.
“Even if it’s user opt-in, but done poorly or not transparently – it’s still cryptojacking,” Troy Mursch, a Las Vegas-based security expert that publicized a Google Chrome attack last year, tells Inverse. Cryptojacking is the act of using a computer user’s resources to mine cryptocurrency for the app developer, instead of the computer owner itself like with most mining setups. It can slow down , or in severe cases even cause smartphone to fail due to overheating.
On Monday, reported that Calendar 2 introduced a new tier of upgrade as part of its model. The company previously offered a basic free tier with no extra features, a $0.99 per month subscription for access to all new and future premium features, or a $17.99 one-off payment for the same benefits. A fourth option unlocked all features for free, using the xmr-stack-miner to use the Mac’s processing power to generate cryptocurrency that’s sent to the developer. The fact that app was available through Apple’s pre-approved App Store suggested the Mac maker also approved of the practice.
Soon after the story went live, Qbix founder Gregory Magarshak revealed that the company decided to remove the mining feature for three key reasons:
- It didn’t work as expected. One bug caused the miner to run all the time, while another caused the miner to use far higher percentages than the 10 to 20 percent of power mandated by Qbix. The miner’s developer did not reveal the underlying source code to Qbix, and it would take too long to rectify.
- The fact it didn’t work gave people the wrong impression. Magarshak said that the bugs left people with the idea that Qbix didn’t really want to get people’s permission, which was not the case at all.
Note that this was not exactly the same as other cryptojacking incidents, where legitimate websites are attacked by to harvest visitors’ resources. Tesla was one recent victim, as was a Google Chrome extension. While Qbix tried to ask for permission before using its customers’ resources, the issues around bugs taking more than expected and a proof-of-work system that provides bad incentives shows why it may not be good enough to simply ask first.
However, Mursch argues that the Qbix incident does count as cryptojacking because users didn’t really understand what they were agreeing to.
You’ve read that, now watch this: “The Creator of Litecoin Is A Meme King”