GitLab tackles crypto-mining abuse with payment card checks for free accounts


Adam Bannister

18 May 2021 at 13:31 UTC

Updated: 18 May 2021 at 13:50 UTC

Security control could be rolled out more widely if it fails to halt rise in abuse

A surge in crypto-mining abuse on GitLab has prompted the DevOps platform to mandate that even customers with free accounts must include payment card details in order to use its pipeline services.

The San Francisco-based company says it has introduced the measure in part because the problem was creating “performance issues”.

“Recently, there has been a massive uptick in abuse of free pipeline minutes available on and on other CI/CD providers to mine cryptocurrencies,” said GitLab in a blog post announcing the change.

Read the latest DevSecOps news from around the world

“In addition to the cost increases, the abuse creates intermittent performance issues for users and requires our teams to work 24/7 to maintain optimal services for our customers and users.”

As of yesterday (May 17), “GitLab will require new free users to provide a valid credit or debit card number in order to use shared runners on”.

The payment cards will not be charged but instead will be verified with a one-dollar authorization transaction, GitLab said.

New, free SaaS users who decline to provide card details will not have access to any GitLab features relying on pipelines, unless they use their own runner and disable shared runners.

“Although imperfect, we believe this solution will reduce the abuse,” the company explained.

Scope for expansion

Users who created a GitLab account before May 17 will be exempt from the new security control, along with GitLab self-managed users, and paying or program users.

However, GitLab said it was ready to widen the scope of the new measure if the changes fail to have the desired effect.

“If we continue to see abuse through existing free accounts, we plan to extend the requirement to additional users,” it explained.

READ MORE Microsoft releases free online ‘playbooks’ to help businesses defend against cyber-attacks

GitLab said previous measures it had taken to deter illicit crypto-mining had been “helpful” but “not sufficient” in achieving this aim.

These have included failing pipelines and the creation of jobs when pipeline minutes quotas are exceeded, restrictions to the creation of namespaces via the API, enabling the termination of pipelines when blocking users, and preventing pipelines from running if owned by blocked users.

The software development organization has also closed gaps between jobs running through user accounts deleted by users, and enhanced its external pipeline validation service.

“We believe using pipeline minute quotas as the foundation for free minute usage will be the best mechanism for failing jobs and pipelines to stop abuse,” said GitLab.

Non-paying GitLab users can use up to 400 free CI/CD minutes each month.

“We will never fully solve platform abuse, but the more barriers we put up, the more difficult and expensive it becomes to engage in abuse,” said GitLab.

Colossal energy consumption

Crypto-mining, or cryptocurrency mining, verifies cybercurrency transactions by leveraging the processing power of computers to solve complex mathematical problems.

Cybercriminals can profit from the technique by infecting target machines with ‘cryptojacking’ malware and corralling them into botnets that generate illicit profits from these transactions.

In news that illustrated crypto-mining’s enormous resource demands, Bitcoin’s value plunged last week after Tesla co-founder Elon Musk said the electric car maker would no longer accept the cryptocurrency as payment because its colossal energy consumption was hampering the fight against climate change.

The Daily Swig has asked GitLab to comment further on this development. We will update the article if and when a reply is forthcoming.

RELATED Vulnerability in Nagios XI exploited by cryptojacking crooks to hijack systems

Leave a Reply