A malware attack against the Tumblr blogging platform has been stifled, but not before tens of thousands of pages were defaced with a racist taunt by a group of Internet trolls known as GNAA.
A post on the Tumblr staff blog yesterday said engineers had identified the source of the problem, removed the viral post and restored services. “No accounts have been compromised and you don’t need to take further action,” the post said.
The defacement was a nasty rant against bloggers that was accompanied by a threat that attempts to remove the post would result in the deletion of a user’s Tumblr account. Only user accounts that were logged in were hit by the post.
According to Sophos researcher Graham Cluley, the worm used Tumblr’s reblogging feature, forcing anyone who was logged in to automatically reblog the post if they landed on an infected page.
Cluley said Sophos discovered malicious JavaScript hidden in an iFrame that produced a phony maintenance notice and tried to send users to a third-party website for the worm. Tumblr users who were not logged in were redirected to a log-in page, Cluley said. If the user was logged in, the GNAA message was blogged onto the user’s page.
“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post – our assumption is that the attackers managed to skirt around Tumblr’s defenses by disguising their code through Base 64 encoding and embedding it in a data URI,” Cluley wrote. “The Base 64 string was actually encoded JavaScript, hidden inside an iFrame that was invisible to the naked eye that dragged content from a URL.”
Tumblr and other social media platforms are popular attack targets. Earlier this summer, a vulnerability was discovered in Tumblr that could allow an attacker to steal authentication cookies and allow them access to accounts. Researchers said a cross-site scripting attack could be used to steal the authentication cookies that could in turn be used to log in to user accounts.
In 2011, a massive phishing attack targeted Tumblr users, preying again on valid login credentials. The attack used social engineering – adult content was used as a lure – to send users to a phony login page where credentials were entered and heisted. The attackers used Tumblr accounts that had been previously compromised and were used to serve visitors with the login page claiming to lead the user to the adult content.