Home arrow JavaScript arrow JavaScript Virus Attacks Tumblr Blogs
JAVASCRIPT

JavaScript Virus Attacks Tumblr Blogs


Earlier this week, Tumblr fell victim to a fast-spreading virus that affected logged-in users who viewed infected blog pages. The company was forced to temporarily suspend the ability of site users to post in order to get the JavaScript virus under control and clean it from the website.

Author Info:
By: Terri Wells
Rating: 5 stars5 stars5 stars5 stars5 stars / 3
December 05, 2012

print this article
SEARCH DEVARTICLES

Earlier this week, Tumblr fell victim to a fast-spreading virus that affected logged-in users who viewed infected blog pages. The company was forced to temporarily suspend the ability of site users to post in order to get the JavaScript virus under control and clean it from the website.

The malware went viral on December 3. Tumblr users viewing an infected post, if they were logged in, would discover that a racist rant has been published to their own account automatically by the malicious code. Initially, Tumblr's engineers tweeted that they had resolved the issue and that it had not spread very widely, affecting only a few thousand Tumblr blogs.

That turned out not to be the case, as Sophos, a security firm, later discovered. Investigating the malware with some information it acquired from an infected account, Sophos found a block of JavaScript that had been scrambled to hide from Tumblr's security filters. According to eWeek's reporting of the incident, “The code would grab the message text from a page on the site 'strangled.net' and post it to the affected user's account.”

Graham Cluley, a senior technology consultant with Sophos, stated his belief that “the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumble would automatically reblog the infectious post if they visited one of the offending pages.” The virus's post credits a group of trolls with creating the malware.

About the only good news pertaining to the attack is that it could have been much worse, and it wasn't. Chet Wisniewski, a senior security advisor with Sophos, noted that “they only spread an offensive message” and “didn't do a drive-by attack and use the JavaScript to put malware on your computer. As far as things go, it's as mild as it could have been.”

What is troubling is how easily the hackers got around Tumblr's security. They used only Base64 encoding to scramble their code, and that's an extremely low Internet encryption standard. Robert Lemos, writing for eWeek, noted that “Normally, an online service would prevent another site from accessing its accounts through JavaScript.” Still, Tumblr reacted quickly to the issue and cleaned up the site.

It makes sense to consider the attack part of Tumblr's expected growing pains. Wisniewski pointed out that both Facebook and Twitter experienced similar issues when they were young. “There are a million different ways to slice-and-dice JavaScript, and still get it to run, and you can't block them all,” he added.
 
Tumblr apologized for the issue a second time at the end of the day, reassuring users that no accounts were compromised, and they did not need to take further action. “As always, we are going to great lengths to make sure this type of abuse does not happen again,” the company concluded. Sadly, these kinds of attacks will probably continue to keep security engineers at social media and similar types of websites on their toes for years to come.


DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.

All JavaScript Tutorials
More By Terri Wells


blog comments powered by Disqus
JAVASCRIPT ARTICLES

- Project Nashorn to Make Java, JavaScript Wor...
- JavaScript Virus Attacks Tumblr Blogs
- Google Releases Stable Dart Version, JavaScr...
- Khan Academy Unveils New JavaScript Learning...
- Accessing Nitro? There`s an App for That
- JQuery 2.0 Leaving Older IE Versions Behind
- Fastest JavaScript Engine Might Surprise You
- Microsoft Adjusting Chakra for IE 10
- Brendan Eich: We Don`t Need Google Native Cl...
- An Overview of JavaScript Statements
- An Overview of JavaScript Operators
- Overview of JavaScript Variables
- More of the Top jQuery Social Plugins
- The Top jQuery Social Plugins
- More of the Top jQuery Slider Plugins

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 
Support 

Developer Shed Affiliates

 




© 2003-2014 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials