Worm Trips Up Tumblr

How thousands of accounts were defaced by an exploit that capitalized on a flaw in the reblogging function of the social network

It spread like wildfire this morning -- a nasty worm that defaced thousands of Tumblr account sites with an offensive post riddled with obscenities.
Security experts say the attackers, a group called GNAA known for trolling bloggers with racists posts and comments, exploited a weakness in Tumblrs reblogging function. Anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages, Graham Cluley, senior technology consultant at Sophos, explained in a
blog post
today.
The attackers embedded malicious code inside the malicious post. It shouldnt have been possible for someone to post such malicious JavaScript into a Tumblr post -- our assumption is that the attackers managed to skirt around Tumblrs defences by disguising their code through Base 64 encoding and embedding it in a data URI, Cluley wrote.
The attackers tucked encoded JavaScript inside a hidden iFrame that lifted content from a malicious URL. Some victims got a pop-up message posing as Tumblr that announced the site was undergoing maintenance with prompts that redirected them. If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page. However, if your computer was logged into Tumblr, it would result in the GNAA content being reblogged on your own Tumblr, Cluley blogged.
Tumblr cleaned up the posts and patched the hole by 1:30 p.m. EST today that had allowed the worm to spread so quickly throughout the social network. Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience, the social network said in its Twitter feed.
[UPDATE: Tumbler issued an updated statement on the worm: This morning, some of you may have noticed a spam post appearing repeatedly on your Dashboard and on the blogs of a few thousand affected accounts. We quickly identified the source, removed the posts, and restored service to normal.
No accounts have been compromised, and you don’t need to take any further action.
Our sincere apologies for the inconvenience. As always, we are going to great lengths to make sure this type of abuse does not happen again.]
David Marcus, director of advanced research and threat intelligence for McAfee, says its difficult to discern the specific vulnerability based on the slim amount of information that has been disclosed thus far, but the attack is akin to stealing a password and posting multiple times using the stolen credentials. Its snarfing the creds and passing those credentials to the reblogging services and posting as you, Marcus says. The danger is that reblogging allows it to be an order of magnitude larger than a stolen password because reblogging is automated, he says.
A GNAA member
told Gawker
that the attack was a way to publicly shame Tumblr into fixing the vulnerability. We contacted Tumblr about this weeks ago and nothing came of it, he said. This was a serious issue that needed to be fixed ... They never got back to us.
The attack only worked on users who were logged in, and the good news was that the attackers defaced rather than doxed or performed other more nefarious acts, experts say.
Its tidy, McAfees Marcus says. It also shows one of the dangers of staying logged in ... and having multiple panes open in the browser, he says.
[Three-year-old dead Windows worm infection is still spreading -- mainly via weak or stolen passwords, Microsoft says. See
Microsoft: Conficker Worm Remains Ongoing Threat
.]
Marcus recommends that Tumbler users log out of Tumbler and close their browsers. Kill the browser instance, spawn a new browser, and then log back into Tumblr just to be sure there is no residual code in their system, he says.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Worm Trips Up Tumblr