Worm Trips Up Tumblr

It spread like wildfire this morning -- a nasty worm that defaced thousands of Tumblr account sites with an offensive post riddled with obscenities.

Security experts say the attackers, a group called GNAA known for trolling bloggers with racists posts and comments, exploited a weakness in Tumblr's reblogging function. "Anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages," Graham Cluley, senior technology consultant at Sophos, explained in a blog post today.

The attackers embedded malicious code inside the malicious post. "It shouldn't have been possible for someone to post such malicious JavaScript into a Tumblr post -- our assumption is that the attackers managed to skirt around Tumblr's defences by disguising their code through Base 64 encoding and embedding it in a data URI," Cluley wrote.

The attackers tucked encoded JavaScript inside a hidden iFrame that lifted content from a malicious URL. Some victims got a pop-up message posing as Tumblr that announced the site was undergoing maintenance with prompts that redirected them. "If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page. However, if your computer was logged into Tumblr, it would result in the GNAA content being reblogged on your own Tumblr," Cluley blogged.

Tumblr cleaned up the posts and patched the hole by 1:30 p.m. EST today that had allowed the worm to spread so quickly throughout the social network. "Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience," the social network said in its Twitter feed.

[UPDATE: Tumbler issued an updated statement on the worm: "This morning, some of you may have noticed a spam post appearing repeatedly on your Dashboard and on the blogs of a few thousand affected accounts. We quickly identified the source, removed the posts, and restored service to normal.

No accounts have been compromised, and you don’t need to take any further action.

Our sincere apologies for the inconvenience. As always, we are going to great lengths to make sure this type of abuse does not happen again."]

David Marcus, director of advanced research and threat intelligence for McAfee, says it's difficult to discern the specific vulnerability based on the slim amount of information that has been disclosed thus far, but the attack is akin to stealing a password and posting multiple times using the stolen credentials. "It's snarfing the creds and passing those credentials to the reblogging services and posting as you," Marcus says. "The danger is that reblogging allows it to be an order of magnitude larger" than a stolen password because reblogging is automated, he says.

A GNAA member told Gawker that the attack was a way to publicly shame Tumblr into fixing the vulnerability. "We contacted Tumblr about this weeks ago and nothing came of it," he said. "This was a serious issue that needed to be fixed ... They never got back to us."

The attack only worked on users who were logged in, and the good news was that the attackers defaced rather than doxed or performed other more nefarious acts, experts say.

"It's tidy," McAfee's Marcus says. "It also shows one of the dangers of staying logged in ... and having multiple panes" open in the browser, he says.

[Three-year-old 'dead' Windows worm infection is still spreading -- mainly via weak or stolen passwords, Microsoft says. See Microsoft: Conficker Worm Remains 'Ongoing' Threat.]

Marcus recommends that Tumbler users log out of Tumbler and close their browsers. "Kill the browser instance, spawn a new browser, and then log back into" Tumblr just to be sure there is no residual code in their system, he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.