Etherscan XSS snafu could have been much, much worse
Ethereum-tracking website Etherscan has resolved a cross-site scripting issue on its domain.
Though among the world’s top-2,000 websites (1,379th per Alexa), Etherscan fell foul of one of the net’s most common security slip-ups.
Cross-site scripting (XSS) refers to when a hacker is able to inject a script into a vulnerable site which is viewable by visitors. It is especially useful for running phishing scams or, worse, pushing malicious scripts at site surfers.
Security researcher Scott Helme discovered that the flaw resided in an insecure custom implementation of the Disqus comment system, which generated a pop-up alert box on the Etherscan site. It read: “etherscan.io says l337.”
The Etherscan developers informed users via Reddit. The site temporarily disabled the comment section while it worked to resolve the issue.
Helme told us that by late Tuesday afternoon the bug had been stamped, freeing him to discuss it in a blog post published on Wednesday morning. Helme began his inquiry into Etherscan’s XSS woes in response to a tip-off from journalist Jordan Pearson.
Etherscan is yet to respond to a request by El Reg to comment on the problem.
“This is exactly the kind of thing that CSP [Content Security Policy] was built to stop and it would have made a great defence here even though traditional mechanisms like output encoding were missed/forgotten,” Helme said. “A properly defined CSP would have neutralised the inline script here because inline script can be controlled on a site that defines a proper CSP.
“If the injected script tag was loaded from a third-party origin then the script would have been blocked because the origin wouldn’t have been found in the CSP whitelist. Either way, the attack would have been neutralised and again, this is exactly what CSP set out to do.”
CSP reporting could have alerted site admins about the problem. “When the browser blocked the hostile script it could send a report out to a service like Report URI1 and provide immediate information that there is script on the page that shouldn’t be there,” Helme added.
The Etherscan incident could have been far worse. Rather than a cheeky pop-up, a more mendacious mind might just have easily used the same flaw to run a crypto-mining scam.
“It was only a few months ago when I was talking about how 4,000+ government sites got hit with crypto-jacking after a piece of rogue JS installed a crypto miner on their site. Back then I detailed how CSP and SRI could have protected all of those government sites and to this day only a small handful of them have gone and deployed either of those protections.” ®
1Helme is the security researcher behind both securityheaders.com and report-uri.com, free tools to help websites to deploy better security.