Unknown Hacker Attempted to Hack Etherscan Through Comments Section

July 24, 2018

Etherscan, an Ethereum network explorer, has become a target of another hack attempt. An unknown attacker tried to use the comment section to inject malicious code. 

Users of the website, who attempted to access Etherscan on Monday, were greet with a suspicious Javascript pop-up saying "1337".

After studying the issues, Etherscan developers found, that the source of the attack came from the comment section of the website. It was supported by a third-party service called Disqus. 

Etherscan disabled Disqus comments at the footer and announced on Reddit, that they are already working on patch that will encapsulate the footer HTML and will make impossible to attack the website in that way in the future. 

MyCrypto developer Michael Hahn said:

"XSS, in this case a javascript injection, was taking advantage of Disqus comments that people use to comment on addresses. It doesn’t appear that Etherscan had been serving malicious code when it was noticed. Disqus comments on Etherscan.io were disabled until a security patch is published which will encapsulate/encode the field to remove the vulnerability to XSS."

 

Comments

Никто ещё не оставил комментариев. Желаете быть первым?