Major Exploit Hits Tumblr, Affects Over 8,600 Users4:25 PM EST Mon. Dec. 03, 2012
A massive attack against Tumblr appears to have impacted more than 8,600 users whose blogs are apparently becoming infected through the act of clicking on an infected site.
An anti-blogging group known as GNAA is believed to be the source of the attack, which apparently begins with blog entries aimed at insulting the blogger community. Part of the tirade tells bloggers they should "drink bleach and die." In addition to the host of expletives and occasional racist words embedded in the message, other terms include "decadent," self-congratulating," "empty husks of human beings." Readers who click on links while logged into their Tumblr accounts then become infected and find the same messages attached to their own blogs.
"It's probably a Web application vulnerability in the Tumblr code," said Qualys CTO Wolfgang Kandek. "There is some function that Tumblr offers that does not check whether the content comes from the user that is logged in but allows it to be posted through some code that comes from another site."
The message also warns that attempting to delete the message will result in deleting of the user's Tumblr account. "But by all means, go ahead!" it says.
"The threat that they can delete your account if you delete their post is probably smoke and mirrors," said Kandek. They probably are just trying to instill enough fear to get people to keep the post intact, but I don't think that technically there is any merit to that threat."
It is important to note that users must apparently have a Tumblr account in order to be affected. Kandek recommends that users remain logged out of the account, if possible. "You might also want to use a different browser for editing, which is a little bit inconvenient, but it's probably the more cautious approach to use two separate browsers for editing and browsing."
Tumblr has confirmed that the attack is under way, and told its Twitter followers that it is currently working to resolve the issue. Meanwhile, some sites are reportedly disabling posting to their blogs until a fix is in place. At least one report suggests that the situation may already be resolved, but Tumblr could not be reached for comment.
Previous attacks by the group have reportedly targeted CNN, Wikipedia and the Obama campaign site, according to Gizmodo's website. The site also claims that the GNAA was responsible for false reports about massive looting in the wake of Hurricane Sandy.
PUBLISHED DEC. 3, 2012