A fast-spreading JavaScript virus jumped between accounts on the Tumblr blogging service on Dec. 3, prompting the company’s engineers to respond by temporarily suspending the ability to post in order to halt the malware’s spread on the site.
Tumblr users who viewed the malicious post, if logged in at the time, would find that a racist diatribe had been automatically published to their own account. Initially, Tumblr issued only two short statements to Twitter on the attack, saying in an early-afternoon tweet that the racist message had not widely spread.
“Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience,” the company stated.
Security firm Sophos, however, grabbed some details of the attack from one infected account, finding that the hypertext markup language (HTML) included a large block of JavaScript scrambled to evade Tumblr’s security filters. The code would grab the message text from a page on the site “strangled.net” and post it to the affected user’s account.
“It appears that the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages,” stated Graham Cluley, a senior technology consultant with the antivirus software maker.
According to the post added by the virus, which is also being called a worm, a group of online malcontents—or trolls—is responsible for the malicious code. While the content of the message was thrown together to garner attention, the actual impact of the attack could have been worse, Chet Wisniewski, a senior security adviser with Sophos, said during an afternoon call.
“Fortunately, they only spread an offensive message,” he said. “They didn’t do a drive-by attack and use the JavaScript to put malware on your computer. As far as things go, it’s as mild as it could have been.”
Whatever systems that Tumblr has in place to prevent attacks through JavaScript failed, and that is troubling, Wisniewski said. Normally, an online service would prevent another site from accessing its accounts through JavaScript, but the Base64 encoding that scrambled the code—kid’s play by Internet encryption standards—appeared to be enough to bypass Tumblr’s security.
Yet, the site reacted quickly and, after the company temporarily suspended posting to the service to slow down the virus, appears to have cleaned up the attack, he said.
“Facebook and Twitter had similar problems when they were young,” Wisniewski said. “There are a million different ways to slice-and-dice JavaScript, and still get it to run, and you can’t block them all. To some degree, this just represents growing pains for a social media site.”
In the past five years, for example, a number of worms have spread through Twitter, including one that jumped from account to account, in a way similar to the Tumblr virus. Facebook has seen its share of worms as well, including the infamous Koobface worm, which would infect users’ systems with malicious code.
At the end of the day, Tumblr issued another statement apologizing for the incident.
“No accounts have been compromised, and you don’t need to take any further action,” the company said in a statement sent to eWEEK. “Our sincere apologies for the inconvenience. As always, we are going to great lengths to make sure this type of abuse does not happen again.”