Earlier this week, Tumblr fell victim to a fast-spreading virus that affected logged-in users who viewed infected blog pages. The company was forced to temporarily suspend the ability of site users to post in order to get the JavaScript virus under control and clean it from the website.
Earlier this week, Tumblr fell victim to a fast-spreading virus that affected logged-in users who viewed infected blog pages. The company was forced to temporarily suspend the ability of site users to post in order to get the JavaScript virus under control and clean it from the website.
The malware went viral on December 3. Tumblr users viewing an infected post, if they were logged in, would discover that a racist rant has been published to their own account automatically by the malicious code. Initially, Tumblr's engineers tweeted that they had resolved the issue and that it had not spread very widely, affecting only a few thousand Tumblr blogs.
That turned out not to be the case, as Sophos, a security firm, later discovered. Investigating the malware with some information it acquired from an infected account, Sophos found a block of JavaScript that had been scrambled to hide from Tumblr's security filters. According to eWeek's reporting of the incident, “The code would grab the message text from a page on the site 'strangled.net' and post it to the affected user's account.”
Graham Cluley, a senior technology consultant with Sophos, stated his belief that “the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumble would automatically reblog the infectious post if they visited one of the offending pages.” The virus's post credits a group of trolls with creating the malware.
About the only good news pertaining to the attack is that it could have been much worse, and it wasn't. Chet Wisniewski, a senior security advisor with Sophos, noted that “they only spread an offensive message” and “didn't do a drive-by attack and use the JavaScript to put malware on your computer. As far as things go, it's as mild as it could have been.”
What is troubling is how easily the hackers got around Tumblr's security. They used only Base64 encoding to scramble their code, and that's an extremely low Internet encryption standard. Robert Lemos, writing for eWeek, noted that “Normally, an online service would prevent another site from accessing its accounts through JavaScript.” Still, Tumblr reacted quickly to the issue and cleaned up the site.
It makes sense to consider the attack part of Tumblr's expected growing pains. Wisniewski pointed out that both Facebook and Twitter experienced similar issues when they were young. “There are a million different ways to slice-and-dice JavaScript, and still get it to run, and you can't block them all,” he added.
Tumblr apologized for the issue a second time at the end of the day, reassuring users that no accounts were compromised, and they did not need to take further action. “As always, we are going to great lengths to make sure this type of abuse does not happen again,” the company concluded. Sadly, these kinds of attacks will probably continue to keep security engineers at social media and similar types of websites on their toes for years to come.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.