

Tumblr hacked? - depoisfalamos
http://www.tumblr.com/dashboard

======
biot
If you suspect a site has been compromised, wouldn't a better approach be to
submit this as a text article explaining your reasons rather than linking to
the affected site? Depending on the nature of the hack, the title could easily
have been:

    
    
      Was Tumblr hacked in order to do drive-by malware installs? (tumblr.com)
    

Now everyone who clicks is potentially at risk.

~~~
g-garron
Thanks God I click on it while on Linux :)

~~~
jychang
It's a Javascript worm, your OS doesn't matter. (I think)

------
shortformblog
Keeping an eye on this. The post in question looks like this:

[https://dl.dropbox.com/u/58607934/Screen%20Shot%202012-12-03...](https://dl.dropbox.com/u/58607934/Screen%20Shot%202012-12-03%20at%2010.31.27%20AM.png)

It has nailed a number of major accounts, including The Verge, USA Today,
Reuters and The Daily Dot.

Buzzfeed has tips on how to keep safe:
[http://www.buzzfeed.com/ryanhatesthis/hacker-group-
exploits-...](http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-
security-hole-in-tumblr)

Update: The GNAA says that the hack was part of an anti-blogging campaign.

> This was just another part of our "anti-blogging" campaign. GNAA's stance on
> blogging in general has always been a negative one: in short, blogging is
> lowering journalistic standards to the point where the number of friends a
> murderer has on Facebook has become news.

[http://www.guardian.co.uk/technology/2012/dec/03/tumblr-
cybe...](http://www.guardian.co.uk/technology/2012/dec/03/tumblr-cyber-worm-
anti-blogging)

~~~
nbashaw
At the bottom of the spam post it says if you delete the post it will delete
your Tumblr account. Since this spreads by people viewing it, it's probably
important to point out that deleting the posts will _not_ delete your tumblr
account, and you should do it immediately so people viewing your blog don't
get infected themselves.

------
rootinier
Yep. <http://www.businessinsider.com/tumblr-hacked-2012-12>

tl;dr: if you have a Tumblr account (and an active session), delete your
cookies before opening any *.tumblr.com site.

------
derpenxyne
The exploit uses a "data-uri script tag" in the video embed field. In other
words, it runs some sort of script through the section of the site that's
supposed to only allow video embed codes from sites like YouTube and Vimeo. A
pretty serious security hole.

~~~
matthuggins
Mind sharing where you found this info? Did you figure it out yourself?

~~~
schill
See point #10 from [http://www.buzzfeed.com/ryanhatesthis/hacker-group-
exploits-...](http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-
security-hole-in-tumblr)

------
schill
Looks like a Base64-encoded JS URI in the video player URL. Somewhat sneaky.
How it ends up redirecting the page to a reblog URL isn't clear.
<https://gist.github.com/4196142>

------
thezilch
Hacking vector was fixed: <https://twitter.com/tumblr>

_Tumblr engineers have resolved the issue of the viral post attack that
affected a few thousand Tumblr blogs. Thanks for your patience._

------
Hello71
Looking at the other comments, this seems like basic CSRF to me.

------
j2labs
Nothing particularly interesting seems to have actually happened. Some posts
got onto the Dashboard, which was still running. In fact, everything was still
working just fine.

Script kiddies found a small crack and went for it.

~~~
lysol
It's not really a script kiddie if it's an original exploit, and is still a
vulnerability that has cost businesses money.

~~~
j2labs
What is your source for that info?

Also, whether or not it cost the business money has nothing to do with the
quality of the break-in.

~~~
freehunter
Who cares about the quality or the skill it took? If it's an unskilled attack,
it's even worse. If script kiddies can break into your site, your security is
alarmingly poor.

The things that matter during an attack: how much damage was caused, what kind
of data was compromised, and how much it will cost to get things fixed. The
quality of the attack is only a factor when it comes to cost/benefit of fixing
the vulnerability.

~~~
j2labs
My first comment actually addresses each of your points.

