Tumblr hacked? (opens in new tab)

(tumblr.com)

66 pointsdepoisfalamos13y ago22 comments

22 comments

biot13y ago

If you suspect a site has been compromised, wouldn't a better approach be to submit this as a text article explaining your reasons rather than linking to the affected site? Depending on the nature of the hack, the title could easily have been:

  Was Tumblr hacked in order to do drive-by malware installs? (tumblr.com)

Now everyone who clicks is potentially at risk.

sstiernborg13y ago

Agreed!

TNW Article: http://thenextweb.com/insider/2012/12/03/a-worm-is-hijacking...

47eo13y ago

Indeed, it was kind of stupid from the submitter.

g-garron13y ago

Thanks God I click on it while on Linux :)

jychang13y ago

It's a Javascript worm, your OS doesn't matter. (I think)

elcapo13y ago

Yes, Linux saves you from javascript malware.

shortformblog13y ago

Keeping an eye on this. The post in question looks like this:

https://dl.dropbox.com/u/58607934/Screen%20Shot%202012-12-03...

It has nailed a number of major accounts, including The Verge, USA Today, Reuters and The Daily Dot.

Buzzfeed has tips on how to keep safe: http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-...

Update: The GNAA says that the hack was part of an anti-blogging campaign.

> This was just another part of our "anti-blogging" campaign. GNAA's stance on blogging in general has always been a negative one: in short, blogging is lowering journalistic standards to the point where the number of friends a murderer has on Facebook has become news.

http://www.guardian.co.uk/technology/2012/dec/03/tumblr-cybe...

nbashaw13y ago

At the bottom of the spam post it says if you delete the post it will delete your Tumblr account. Since this spreads by people viewing it, it's probably important to point out that deleting the posts will not delete your tumblr account, and you should do it immediately so people viewing your blog don't get infected themselves.

rootinier13y ago

Yep. http://www.businessinsider.com/tumblr-hacked-2012-12

tl;dr: if you have a Tumblr account (and an active session), delete your cookies before opening any *.tumblr.com site.

derpenxyne13y ago

The exploit uses a "data-uri script tag" in the video embed field. In other words, it runs some sort of script through the section of the site that's supposed to only allow video embed codes from sites like YouTube and Vimeo. A pretty serious security hole.

matthuggins13y ago

Mind sharing where you found this info? Did you figure it out yourself?

schill13y ago

See point #10 from http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-...

schill13y ago

Looks like a Base64-encoded JS URI in the video player URL. Somewhat sneaky. How it ends up redirecting the page to a reblog URL isn't clear. https://gist.github.com/4196142

thezilch13y ago

Hacking vector was fixed: https://twitter.com/tumblr

Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.

Hello7113y ago

Looking at the other comments, this seems like basic CSRF to me.

j2labs13y ago

Nothing particularly interesting seems to have actually happened. Some posts got onto the Dashboard, which was still running. In fact, everything was still working just fine.

Script kiddies found a small crack and went for it.

lysol13y ago

It's not really a script kiddie if it's an original exploit, and is still a vulnerability that has cost businesses money.

j2labs13y ago

What is your source for that info?

Also, whether or not it cost the business money has nothing to do with the quality of the break-in.

1 more reply

shortformblog13y ago

My entire dashboard was filled with these worm posts an hour ago, and hit a number of major sites.

elcapo13y ago

"Script-kiddies" don't author exploits, or discover vulnerabilities.

j / k navigate · click thread line to collapse

22 comments

biot13y ago

  Was Tumblr hacked in order to do drive-by malware installs? (tumblr.com)

Now everyone who clicks is potentially at risk.

sstiernborg13y ago

Agreed!

TNW Article: http://thenextweb.com/insider/2012/12/03/a-worm-is-hijacking...

47eo13y ago

Indeed, it was kind of stupid from the submitter.

g-garron13y ago

Thanks God I click on it while on Linux :)

jychang13y ago

It's a Javascript worm, your OS doesn't matter. (I think)

elcapo13y ago

Yes, Linux saves you from javascript malware.

shortformblog13y ago

Keeping an eye on this. The post in question looks like this:

https://dl.dropbox.com/u/58607934/Screen%20Shot%202012-12-03...

It has nailed a number of major accounts, including The Verge, USA Today, Reuters and The Daily Dot.

Buzzfeed has tips on how to keep safe: http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-...

Update: The GNAA says that the hack was part of an anti-blogging campaign.

http://www.guardian.co.uk/technology/2012/dec/03/tumblr-cybe...

nbashaw13y ago

rootinier13y ago

Yep. http://www.businessinsider.com/tumblr-hacked-2012-12

tl;dr: if you have a Tumblr account (and an active session), delete your cookies before opening any *.tumblr.com site.

derpenxyne13y ago

matthuggins13y ago

Mind sharing where you found this info? Did you figure it out yourself?

schill13y ago

See point #10 from http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-...

schill13y ago

Looks like a Base64-encoded JS URI in the video player URL. Somewhat sneaky. How it ends up redirecting the page to a reblog URL isn't clear. https://gist.github.com/4196142

thezilch13y ago

Hacking vector was fixed: https://twitter.com/tumblr

Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.

Hello7113y ago

Looking at the other comments, this seems like basic CSRF to me.

j2labs13y ago

Nothing particularly interesting seems to have actually happened. Some posts got onto the Dashboard, which was still running. In fact, everything was still working just fine.

Script kiddies found a small crack and went for it.

lysol13y ago

It's not really a script kiddie if it's an original exploit, and is still a vulnerability that has cost businesses money.

j2labs13y ago

What is your source for that info?

Also, whether or not it cost the business money has nothing to do with the quality of the break-in.

1 more reply

shortformblog13y ago

My entire dashboard was filled with these worm posts an hour ago, and hit a number of major sites.

elcapo13y ago

"Script-kiddies" don't author exploits, or discover vulnerabilities.

j / k navigate · click thread line to collapse