Stored XSS That Allowed Hackers to Hijack Tumblr Blogs Still Unfixed

Security researcher Janne Ahlberg explains how attackers can leverage this flaw

By on December 11th, 2012 14:39 GMT

According to security researcher Janne Ahlberg, who has thoroughly investigated the latest incident as a result of which thousands of Tumblr blogs have been hijacked, the stored cross-site scripting (XSS) vulnerability that has allowed the hackers to pull of the stunt remains unfixed.

The expert highlights the fact that he has personally contacted Tumblr’s development team to warn them about the vulnerability behind the “reblog” attack that took place on December 3.

“I don’t claim ‘credits’ for this vulnerability: all details were available before I even had time to test. What surprises me is the fact that this issue is not yet fixed,” Ahlberg wrote on his personal blog after performing numerous tests.

He explains that this vulnerability could be utilized for numerous cybercriminal operations. The stored XSS could be used for phishing, malware attacks, and even to spam users.

“[The] attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags,” the expert described in a possible attack scenario.

“Trust and popularity could be increased by using other accounts for reblogging video posts. Once the ‘attack blog’ would have enough followers, attacker could create a malicious post using carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start.”

The researcher also reveals some interesting facts about this particular stored XSS security hole. For instance, victims of attacks that exploit this vulnerability don’t have to be logged in to Tumblr.

Also, the bug could be used to spread a malicious payload because when an entry is reblogged, the payload is also included in the new post.

Furthermore, arbitrary JavaScript can be executed in the victim’s browser from a remote location.

Despite these numerous attack scenarios, it appears that Tumblr is still having difficulties in addressing the flaw. It’s worth noting that the individuals who added the racist post to the thousands of blogs also claimed to have notified Tumblr one week before deciding to prove their point.

Comments