Tumblr.com cleans up few thousand pages after worm attack


Tumblr admitted it was hacked by the racist anti-blogging group that goes by the acronym GNAA.

A few thousand blogs were affected by the malicious worm. All affected blogs automatically posted a racist spam post. The virus effect was short-lived. Tumblr has close to 8 million users that could have been infected. In order to get the virus a user needed to be logged into Tumblr and use a browser different than Internet Explorer.

Internet Explorer users were protected against the attack not because the browser is more secure when compared to Firefox or Chrome but because Internet Explorer doesn’t execute base64 encoded javascript found in an URL. The attackers used a common attack vector that was adapted for Tumblr. An URL with the following link url=data:text/html;base64,PFNDUklQVD5hbGVydCgiUHduZWQiKTs8L1NDUklQVD4= normally results in a javascript popup screen.  A similar approach was used by GNAA who coded its worm using the same method. Tumblr checks to see if javascript is included in new posts but having base64 encoded javascript inside a link made possible the hack. Thus the code easily passed all Tumblr filters.

The worm took advantage of Tumblr’s reblogging feature and through the especially crafter javascript it copied itself into newly infected blogs. It also copied the attack vector it used in the first place.


Please enter your comment!
Please enter your name here