The Tumblr microblogging, social networking and online sharing site was hit on Monday by a group that harasses blogs and practices Internet trolling — the posting of provocative or off-topic messages online. The hackers created an offensive posting that propagated itself relentlessly on Tumblr’s network.
“Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs earlier today,” company spokesperson Katherine Barna told TechNewsWorld.
Tumblr lets users post multimedia and other content to a blog. Users can make their blogs private, and they can follow other users’ blogs. Many of Tumblr’s features are accessed from its dashboard, where users have the option to post content.
What Happened, Sort Of
The worm took advantage of Tumblr’s reblogging feature, so anyone logged into the site would automatically reblog the infected post if they had visited it, according to Sophos’ Naked Security blog.
The poisoned code was encoded JavaScript hidden inside an iFrame. The script generated a pop-up message apparently from Tumblr saying the site would be undergoing maintenance and offered a link to follow.
Visitors to the poisoned URL who weren’t logged into Tumblr would be redirected to the Tumblr login page. If they were logged into Tumblr, however, their account would be infected with offensive content.
At least 8,000 sites were reportedly infected, including Tumblr blogs for major media organizations such as Reuters, USA Today and Entertainment Weekly. The worm reportedly sometimes posted so many times that users were locked out, with Tumblr stating they’d reached their daily posting limit.
Tumblr’s response to the attack was to ask users to immediately log out of all browsers that may be using the site while its engineers came up with a solution.
Tumblr posted an update Monday afternoon in which it said no accounts had been compromised and members don’t need to take any further action.
The Dark Side of Openness
Security and functionality “tend to exist in an inverse relationship. In other words, the more functional you make something, the less secure it tends to become,” Roger Thompson, chief emerging threats researcher at ICSA Labs, told TechNewsWorld. “Social networks obey the same rule. They build for huge functionality and, despite their best efforts, security issues are always possible.”
Facebook, for example, has long been a major target for hackers because its openness and the trust people place in their Facebook friends make it easy to spread viruses or perpetrate widespread fraud.
That led Facebook to incorporate malicious URL databases from Microsoft, McAfee, Trend Micro, Sophos and Symantec into its URL blacklist system in April. In addition, it launched an antivirus marketplace from which users could download full versions of those vendors’ antivirus offerings at no charge.
Any cloud-based site with lots of users is a prime target because of the large amount of information such sites yield. For example, Sony’s PlayStation network was hacked repeatedly, leading to the subsequent loss of customer data.
However, the upside to building for huge functionality is that, when an issue is discovered, companies like Facebook and Tumblr “can potentially fix it very quickly,” Thompson remarked.
The Art of Web Self-Defense
There’s nothing an end user can do to avoid falling prey to such attacks, because everything is in the hands of the service provider, Thompson stated.
“The best an end user can do is to consider the implications of their data being lost or compromised,” Thompson continued. He suggested users keep a copy of any data to which they are emotionally attached on their local computer drives.
“To paraphrase Obi Wan, we will never find a more wretched hive of scum and villainy than the Internet,” Thompson said. “We must be cautious.”