According to my new tests, Tumblr is still vulnerable to stored Cross-site Scripting. I have reported the findings to Tumblr development team although they should already know: the reblog attack on 3rd of December was based on this vulnerability. I don’t claim “credits” for this vulnerability: all details were available before I even had time to test. What surprises me is the fact that this issue is not yet fixed.
I was asked if this vulnerability is “wormable” – meaning is it possible to perform another “Tumblr worm” attack. Why would anyone even want to try? Possible viral reblogging would be noticed and stopped fast. “Tumblr worm” was just a rather harmless demonstration.
Tumblr stored Cross-site Scripting facts
(based on my tests with two Tumblr accounts on separate PCs and three browsers)
- Victim does not have to be logged in to Tumblr
- If user reblogs a malicious post, the new post will include the payload -> spreading of code is possible
#1 – Phishing
It would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Below is a screenshot of a simple prompt asking users email address:
#2 – Spreading malware
Attacker could push malicious files from his/her server to Tumlbr users. Below is a screenshot of a simple file push using window.open:
One possible attack scenario
Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts. Once the “attack blog” would have enough followers, attacker could create a malicious post using carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start.
Reblogging is a easy to use and popular feature of Tumblr. It is similar to Twitter’s retweet or Facebook’s “like button”. Attack that would be based on social engineering (users want to reblog interesting posts) could be more wide-spread compared to Tumblr worm attack.