December 4, 2012
Tumblr Worm Exploited Site’s Re-blogging Feature
redOrbit Staff & Wire Reports - Your Universe Online
A group of hackers going by the name "GNAA" claimed responsibility for a fast-spreading software worm that infected thousands of accounts on the popular micro-blogging site Tumblr on Monday morning.Users of infected accounts saw their pages defaced with a profane, expletive-laden message.
Tumblr was able to fix the security exploit within hours, and released a statement Monday afternoon saying the site had been restored to normal.
“This morning, some of you may have noticed a spam post appearing repeatedly on your Dashboard and on the blogs of a few thousand affected accounts. We quickly identified the source, removed the posts, and restored service to normal,” the statement read.
“No accounts have been compromised, and you don´t need to take any further action. Our sincere apologies for the inconvenience. As always, we are going to great lengths to make sure this type of abuse does not happen again.”
Security software firm Sophos said the worm had harnessed Tumblr´s re-blogging feature, so that anyone who was logged into the site would automatically re-blog the infected post if they visited one of the offending pages.
“Each affected post had some malicious code embedded inside them,” Sophos said on its Naked Security blog.
In a now-deleted tweet, GNAA said its exploit had impacted 8,600 Tumblr accounts at its peak. The Internet trolling group released a statement saying the attack was part of its ongoing war against bronies -- male fans of My Little Pony.
A GNAA spokesman said the hack was also aimed at shining a light on Tumblr's slack security.
"We contacted Tumblr about this weeks ago and nothing came of it," the spokesman told Gawker.
"This was a serious issue that needed to be fixed."
“Our assumption is that the attackers managed to skirt around Tumblr's defenses by disguising their code through Base 64 encoding and embedding it in a data URI.”