Later in the evening Tumblr told us that their “engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs”.
This morning I tried to find affected Tumblr posts without luck. Viral post attack appears to be resolved. But how about the root-cause? Based on some news, the hackers behind the attack warned Tumblr weeks ago about a vulnerability. This would not be the first time: earlier this year Riyaz Walikar reported a serious Cross-site Scripting vulnerability to Tumblr. According to Mr. Walikar, it took three weeks to fix the issue.
Was the root-cause yet another stored Cross-site Scripting vulnerability on Tumblr and more importantly: is it now fixed? According to my quick testing: Yes and unfortunately no:
Lets hope Tumblr fixes the vulnerability without delay. It was easy to locate the root-cause. I tested this with a private post for security reasons, but I assume the payload works in public posts. If that is the case, Tumblr users should be warned: there could be other attacks underway or planned. Those could be much more severe than the “reblog worm”.
Update: I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid.
Mikko Hyppönen, CRO at F-Secure commented this case in a tweet: “A new Tumblr worm could still be possible…Good example on how XSS vulns are not harmless”
Update 2: It seems that Tumblr developers have started to implement counter-measures: the word “denied:” is added automatically to the test script every time
it gets executed it is edited (checked on 5-Dec). E.g. <script src=”denied:data…
Screen-shot of the test case is below:
Some media reactions:
Tumblr troubled by trojan text – Update – H-Online
Tumblr worm proliferated due to XSS flaw – Help Net Security
Tumblr Worm Might Have Leveraged Stored XSS Vulnerability – Softpedia