Hackers tried to use the comments section of Etherscan to infiltrate the website.
According to an official Etherscan announcement via reddit[1] on Monday, random JavaScript alerts containing the text "1337" popped up on the block explorer website. A hacker (or hackers) injected the alerts into the summarized comments section provided by Disqus, a third-party comment hosting service. Etherscan identified the offending comment, seen below:
The organization said no systems were compromised besides the appearance of pop-up alerts. Immediately after receiving user reports[2] regarding the suspicious activity, Etherscan disabled the Disqus comments section and tested a patch to encode footer comments to prevent future attacks. The block explorer has also applied a patch to address "un-escaped javascript exploits" on its top comments sections.
Upon further investigation, Etherscan discovered there were three attempts to inject the "1337" alert. The organization said the first attempt seemed non-malicious in nature, whereas the following two attempts originated from a party associated with Etherscan. Additionally, there was an attempt to inject a Web3 JavaScript application programming interface (API), although this was stopped by the block explorer's backend.
Etherscan went on to dispel any fear, uncertainty, and doubt about Disqus, asserting that the comments were encoded, but the APIs were not.
When asked if funds would be safe, Etherscan replied, "Yes, funds are safe. We will post a more detailed follow up later." A Disqus developer suggested the phrase "message" should be used in the code rather than "raw_message." The block explorer's admin said it would "implement the suggestion."
However, another redditor suggested the attack was a precursor for something potentially more malicious, stating:
"Often in penetration testing you would do small tests that could look more like errors or vandalism but you're still finding
