An Incredibly Simple Hack Had the Potential to Manipulate Cryptocurrency Markets

Visitors to Ethereum blockchain explorer Etherscan.io on Monday were shown a pop-up that said, “l337,” but the hackers could have tricked site visitors by superficially changing values on the blockchain record.

|
Jul 24 2018, 2:00pm

Images: Shutterstock, Etherscan.io

An online panic ensued Monday morning when visitors to a popular blockchain explorer site for Ethereum were confronted with the cryptic pop-up displaying “l337,” or “elite” in old-school hacker speak, indicating that the site was compromised.

Blockchain explorers are web portals that anyone can use to view public cryptocurrency transactions—essentially, financial reporting sites for cryptocurrencies. Etherscan.io is an extremely popular explorer for Ethereum’s blockchain (ranked the 1,379th most popular site in the world according to Alexa), and when the message—basically international code for “you’ve been hacked”—popped up on the site, worried users took to Twitter warning others to stay away from the site.

Etherscan.io doesn’t offer digital wallet services—although it does allow users to broadcast raw transactions to the Ethereum network—so it seems as though everyone’s virtual coin stashes will remain untouched. Even so, according to information security experts the seemingly innocuous hack is nonetheless dangerous because the hacker could have made Etherscan.io appear any way they wanted it to from a visitor’s perspective. While this wouldn’t actually affect the blockchain, it could trick visitors into thinking the blockchain looks a certain way—say, to make an account look wealthier than it really is.

“Financial reporting site where any comment can deface the site? That can affect financial markets,” information security expert Jim Manico told me in a Twitter message. “For a financial information site like this, it’s a real [vulnerability].”

Read More: Creators of In-Browser Cryptocurrency Miner 'Coinhive' Say Their Reputation Couldn't Be Much Worse

According to a Reddit post by the administrators of Etherescan.io’s subreddit, the attack occurred thanks to a commenter writing malicious code into a comment on the site, which executed in the browser of anyone visiting the site. Etherscan.io is implementing a fix, according to the post. On Twitter, Etherscan.io assured users that there is “no risk of systems being compromised (that we are aware off at the moment) other than the pop up from the javascript ‘alert(1337).’”

Spokespeople for blog comment hosting service Disqus—which Etherscan.io used—told Motherboard in an email that the fault lies with Etherscan, which built a custom application using its API; Disqus suggested a fix to Etherscan on Reddit, and an administrator responded that the company would implement the suggestion. Etherscan spokespeople over email directed me to the site’s social media updates.

According to security researcher Scott Helme, an attacker having the ability to execute code gives them powers effectively only limited by their imagination; all kinds of malware, including keyloggers, can be delivered through XSS attacks like the one on Etherscan. “They could also have just put hardcore porn on the page, it's really down to your imagination at this point,” Helme told me in a Twitter message. The biggest risk with Etherscan.io is likely defacement, he added.

“They could alter the prices shown on graphs, maybe cause a buy/sell,” Helme told me. “I'm sure that tampering with the values could impact people.”

In the fast-moving world of cryptocurrencies, where speculators are constantly trying to play the market and transactions are irreversible, the idea of a hacker manipulating your outlook for personal gain is pretty scary.

Get six of our favorite Motherboard stories every day by signing up for our newsletter .