On July 23rd in a Reddit Post Etherscan announced that there was a suspected hacking attempt on their network which was eventually avoided. All the funds and the platform are safe for now.
Etherscan is the leading BlockExplorer for the Ethereum Blockchain. A BlockExplorer is basically a search engine that allows users to easily lookup, confirm and validate transactions that have taken place on the Ethereum Blockchain. Etherscan is not funded, operated or managed by the Ethereum Foundation but instead exists as an independent entity.
The Ethereum Blockchain has a public ledger (like a decentralized database) which Etherscan.io indexes and then makes available this information through our site. Their mission is to facilitate Blockchain transparency by indexing and making searchable all transactions on the Ethereum Blockchain in the most transparent and accessible way possible.
What Was The Attack?
There was no risk of a compromised system other than the pop-up alert. There were 3 attempts to inject the JS alert message “1337”. The first appeared non-malicious with the second 2 coming from someone the platform knows (most likely experimental). The 4th attempt tried to inject a web3.js tx but this was blocked (truncated) by their backend.
What Followed After The Attack?
— Etherscan.io (@etherscan) July 23, 2018
Is Using Disqus A Point Of Vulnerability?
Etherscan claims that even though Disqus encodes all comments, their APIs are not encoded. However, Disqus developers claim that when using custom integration to display comments (like in the case of Etherscan), the platform should use message rather than raw_message. Etherscan developers have taken a note of this and will be implemented in the near future.
It’s likely that the hacker had something far more sinister in mind than creating annoying pop-up messages. For instance, the attacker could have ultimately hoped to inject code designed to trick users into exposing their private keys or sending a transaction to a hacker-controlled wallet.