A post on the Tumblr staff blog yesterday said engineers had identified the source of the problem, removed the viral post and restored services. “No accounts have been compromised and you don’t need to take further action,” the post said.
The defacement was a nasty rant against bloggers that was accompanied by a threat that attempts to remove the post would result in the deletion of a user’s Tumblr account. Only user accounts that were logged in were hit by the post.
According to Sophos researcher Graham Cluley, the worm used Tumblr’s reblogging feature, forcing anyone who was logged in to automatically reblog the post if they landed on an infected page.
Tumblr and other social media platforms are popular attack targets. Earlier this summer, a vulnerability was discovered in Tumblr that could allow an attacker to steal authentication cookies and allow them access to accounts. Researchers said a cross-site scripting attack could be used to steal the authentication cookies that could in turn be used to log in to user accounts.
In 2011, a massive phishing attack targeted Tumblr users, preying again on valid login credentials. The attack used social engineering – adult content was used as a lure – to send users to a phony login page where credentials were entered and heisted. The attackers used Tumblr accounts that had been previously compromised and were used to serve visitors with the login page claiming to lead the user to the adult content.