Testing Tumblr worm root cause

Yesterday Tumblr was hit by a “worm” that posted racist message using JavaScript. Sophos analyst Graham Cluley posted the first technical analysis that I noticed on Naked Security blog. It looked like an attack based on a stored Cross-site-Scripting vulnerability and some tricks to trigger Tumblr’s reblog feature.

Later in the evening Tumblr told us that their “engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs”.

This morning I tried to find affected Tumblr posts without luck. Viral post attack appears to be resolved. But how about the root-cause? Based on some news, the hackers behind the attack warned Tumblr weeks ago about a vulnerability. This would not be the first time: earlier this year Riyaz Walikar reported a serious Cross-site Scripting vulnerability to Tumblr. According to Mr. Walikar, it took three weeks to fix the issue.

Was the root-cause yet another stored Cross-site Scripting vulnerability on Tumblr and more importantly: is it now fixed? According to my quick testing: Yes and unfortunately no:

Tumblr stored XSS vulnerability

Lets hope Tumblr fixes the vulnerability without delay. It was easy to locate the root-cause. I tested this with a private post for security reasons, but I assume the payload works in public posts. If that is the case, Tumblr users should be warned: there could be other attacks underway or planned. Those could be much more severe than the “reblog worm”.

Update: I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid.

Mikko Hyppönen, CRO at F-Secure commented this case in a tweet: “A new Tumblr worm could still be possible…Good example on how XSS vulns are not harmless

Update 2: It seems that Tumblr developers have started to implement counter-measures: the word “denied:” is added automatically to the test script every time it gets executed it is edited (checked on 5-Dec). E.g. <script src=”denied:data…

Screen-shot of the test case is below:

Stored XSS test with Safari

 

Some media reactions:

Tumblr troubled by trojan text – Update – H-Online
Tumblr worm proliferated due to XSS flaw – Help Net Security
Tumblr Worm Might Have Leveraged Stored XSS Vulnerability – Softpedia