Criminal mastermind injects malicious script into Ethereum tracker. Their message? '1337'

Ethereum-tracking website Etherscan has resolved a cross-site scripting issue on its domain.

Though among the world's top-2,000 websites (1,379th per Alexa), Etherscan fell foul of one of the net's most common security slip-ups.

Cross-site scripting (XSS) refers to when a hacker is able to inject a script into a vulnerable site which is viewable by visitors. It is especially useful for running phishing scams or, worse, pushing malicious scripts at site surfers.

Security researcher Scott Helme discovered that the flaw resided in an insecure custom implementation of the Disqus comment system, which generated a pop-up alert box on the Etherscan site. It read: "etherscan.io says l337."

The Etherscan developers informed users via Reddit. The site temporarily disabled the comment section while it worked to resolve the issue.

When the comments section reappeared, tests by Helme determined that the vulnerability was still uncorrected. "It seems that the fix was specifically to 'handle un-escaped javascript exploits' via their comment system," he said, adding that this did not address the problem.

Helme told us that by late Tuesday afternoon the bug had been stamped, freeing him to discuss it in a blog post published on Wednesday morning. Helme began his inquiry into Etherscan's XSS woes in response to a tip-off from journalist Jordan Pearson.

Etherscan is yet to respond to a request by El Reg to comment on the problem.

"This is exactly the kind of thing that CSP [Content Security Policy] was built to stop and it would have made a great defence here even though traditional mechanisms like output encoding were missed/forgotten," Helme said. "A properly defined CSP would have neutralised the inline script here because inline script can be controlled on a site that defines a proper CSP.

"If the injected script tag was loaded from a third-party origin then the script would have been blocked because the origin wouldn't have been found in the CSP whitelist. Either way, the attack would have been neutralised and again, this is exactly what CSP set out to do."

CSP reporting could have alerted site admins about the problem. "When the browser blocked the hostile script it could send a report out to a service like Report URI¹ and provide immediate information that there is script on the page that shouldn't be there," Helme added.

Lucky escape

The Etherscan incident could have been far worse. Rather than a cheeky pop-up, a more mendacious mind might just have easily used the same flaw to run a crypto-mining scam.

"The script payload here was not stealthy in the least bit, popping a JS [JavaScript] alert on the page is a dead giveaway that there is a script there doing bad things," Helme said. "Just think if it hadn't popped that alert, though. What if it had injected malware, a malicious redirect, modified or tampered with the page or installed a keylogger? There are countless ways this could have gone very, very wrong but yet again, this was a lucky escape.

"It was only a few months ago when I was talking about how 4,000+ government sites got hit with crypto-jacking after a piece of rogue JS installed a crypto miner on their site. Back then I detailed how CSP and SRI could have protected all of those government sites and to this day only a small handful of them have gone and deployed either of those protections." ®

Bootnote

¹Helme is the security researcher behind both securityheaders.com and report-uri.com, free tools to help websites to deploy better security.