2018-7-24 11:55 |
On July 23rd in a Reddit Post Etherscan announced that there was a suspected hacking attempt on their network which was eventually avoided. All the funds and the platform are safe for now.
Etherscan is the leading BlockExplorer for the Ethereum Blockchain. A BlockExplorer is basically a search engine that allows users to easily lookup, confirm and validate transactions that have taken place on the Ethereum Blockchain. Etherscan is not funded, operated or managed by the Ethereum Foundation but instead exists as an independent entity.
The Ethereum Blockchain has a public ledger (like a decentralized database) which Etherscan.io indexes and then makes available this information through our site. Their mission is to facilitate Blockchain transparency by indexing and making searchable all transactions on the Ethereum Blockchain in the most transparent and accessible way possible.
What Was The Attack?The platform received reports of random javascript alerts with the content “1337” appearing on Etherscan.io. Upon further investigation, it appeared that these were injected via the summarized Disqus comments that appear at the bottom of the page site footer.
There was no risk of a compromised system other than the pop-up alert. There were 3 attempts to inject the JS alert message “1337”. The first appeared non-malicious with the second 2 coming from someone the platform knows (most likely experimental). The 4th attempt tried to inject a web3.js tx but this was blocked (truncated) by their backend.
What Followed After The Attack?Etherscan disabled the summarized Disqus comments at the site page footer. Then they worked and tested a patch that will encode the footer comments to prevent future similar incidents. They have applied a patch to handle unescaped javascript exploits via top comments sections. Technically speaking a web3.js injection would not have been possible given the circumstances. Etherscan then informed their users about the attack on Twitter and Reddit.
An quick update on the random "1337" script pop up on https://t.co/VAEURQyNAG https://t.co/3N222GMucu
— Etherscan.io (Not giving away Ether) (@etherscan) July 23, 2018
Is Using Disqus A Point Of Vulnerability?Etherscan claims that even though Disqus encodes all comments, their APIs are not encoded. However, Disqus developers claim that when using custom integration to display comments (like in the case of Etherscan), the platform should use message rather than raw_message. Etherscan developers have taken a note of this and will be implemented in the near future.
Etherscan ConclusionIt’s likely that the hacker had something far more sinister in mind than creating annoying pop-up messages. For instance, the attacker could have ultimately hoped to inject code designed to trick users into exposing their private keys or sending a transaction to a hacker-controlled wallet.
Similar to Notcoin - Blum - Airdrops In 2024