How the Tumblr worm spread so quickly

Last updated 12:52 04/12/2012
Tumblr Worm
iStock

TO THE CORE: The Tumblr worm took advantage of Tumblr's reblogging feature.

Relevant offers

Digital Living

Huawei boss: China cybersecurity rules 'could backfire' HBO tracking down pirates who downloaded leaked Game of Thrones episodes Google shaking up search recommendations on smartphones Sony lobbied Netflix to stop Aussie VPN users, leak shows Too much information: where's your Fitbit and Apple Watch data going? Yahoo chooses to stay with Microsoft in updated search deal Apple cooperation with antitrust monitor down 'sharply' - report Sony Pictures condemns Wikileaks release of documents from hackers Microsoft quietly content as EU moves on Google Facebook Messenger apps seek to infuse emotion into texts

This post was originally published on Mashable.

An infectious worm spread rapidly across the blogging platform Tumblr on Monday, causing the site to disable posting and encourage users to reset passwords immediately.

As Tumblr cleans up the mess, web security firm SophosLabs took a deeper look into how the infection spread so quickly. The culprit? Its reblogging feature.

"It appears that the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages," Sophos said in a blog post.

The pages of about 8000 Tumblr blogs - which were reportedly affected by GNAA, a well-known hacker and internet trolling group - have a form of malicious code embedded within them. 

According to Sophos, the worm was actually hidden inside an iframe, which is a window where content from another site can load (for example, a Facebook button). It was encoded using Base64, so to the naked eye, the malware looked like jumbled text.

Sophos believes the cyber attackers wouldn't have been able to post the worm through JavaScript. Instead, it got around Tumblr's site security by disguising their code through Base 64. Users who came across the worm saw a pop-up message, disguised as a Tumblr prompt.

"If you were not logged into Tumblr when your browser visited the URL, it would simply redirect you to the standard login page," Sophos said. "However, if your computer was logged into Tumblr, it would result in the GNAA content being reblogged on your own Tumblr."

Mashable is the largest independent news source covering digital culture, social media and technology.

Ad Feedback

Comments

Special offers

Featured Promotions

Sponsored Content