Vulgar post lands on prominent blogs, Tumblr patches vulnerability

By on December 4, 2012, 6:00 PM

Tumblr says it has addressed a vulnerability which allowed hackers to force visitors into unwittingly reposting an offensive, expletive-ridden message condemning the "tasteless" and "bourgeoisie" blog site. More than 8,600 users were affected -- Cnet, USA Today and The Verge were among prominent accounts affected -- but Tumblr assures users that no accounts have been compromised.

The message itself begins, "Dearest 'Tumblr' users." The rest of the post derides Tumblr for being a waste of time (isn't that kind of the point?) and insists its "emo" users should "drink bleach and die". The message also scared users out of deleting it, claiming doing so would also delete that user's account.

Although Tumblr hasn't (and likely won't) spill the gory details of the attack, security experts believe hackers discovered a method for doing something they ought not be able to do: the insertion of JavaScript code into Tumblr posts. Experts speculate the site fell prey the same old trick that other young social networking startups have, which is unscrupulous users embedding malicious Base64-encoded JavaScript to trigger a cross-site scripting attack.

Once the code was inserted into a Tumblr comment, Internet browsers would interpret and render that code as part of the page, obscuring legitimate content with the hackers' crude message. That code then propagated itself by exploiting Tumblr's "reblog" feature, forcing visitors to unknowingly repost their own copy of the profanity-filled message.

The hacktivists claiming responsibility for the incident identify themselves as the GNAA. If you're wondering what that stands for, let's just say the innocuous abbreviation is every bit as profane as their message.

The GNAA claims their recent Tumblr attack was prompted by "lowering journalistic standards" and what is essentially shoddy programming.

This was just another part of our "anti-blogging" campaign. GNAA's stance on blogging in general has always been a negative one: in short, blogging is lowering journalistic standards to the point where the number of friends a murderer has on Facebook has become news.

Tumblr is a blogging website whose employees we have found, time and time again, to put the safety of their users second to their revenue. Instead of hiring competent, dedicated staff, they hire part-time programmers who can't even defend against the most basic of security issues, such as XSS. I mean, for chrissake, they don't even throttle (or the threshold is ridiculously high) the number of posts per minute a user is allowed to make! Blogging services everywhere need to step up and hire people who know what they're doing.

Source: Guardian.co.uk, GNNA spokesman

It has been suggested that Tumblr was warned of the vulnerability by GNAA hackers weeks ago.




User Comments: 7

Got something to say? Post a comment
hellokitty[hk] hellokitty[hk], I'm a TechSpot Evangelist, said:

No offense or malice intended but I thought the post and the GNAA were pretty funny.

But the real question is if your account is actually deleted if you delete the post!

Tygerstrike said:

So yet again another wanna be anon trying to put their world view out for the public to see. I give them points for the hack but take away points for the message. It seems more and more these hackers are not trying to secure the web for future use. It appears that they only do what they do to spread their personal message w/o thinking of the consiquences. How many kids were on Tumblr? How many elderly following their grandchildrens blogs? The same message could have been gotten across with A LOT less profanity.

corrosive23 said:

The more the "otherkin" and "offended" and blog on tmblr the better. Tumblr is the cesspool of the internet.

PinothyJ said:

So yet again another wanna be anon trying to put their world view out for the public to see. I give them points for the hack but take away points for the message. It seems more and more these hackers are not trying to secure the web for future use. It appears that they only do what they do to spread their personal message w/o thinking of the consiquences. How many kids were on Tumblr? How many elderly following their grandchildrens blogs? The same message could have been gotten across with A LOT less profanity.

If a group is a group than it is not Anonymous. The 'many heads to a hydra' thing anon has going for it set it apart from any other group.

Not for or against either; just saying...

corrosive23 said:

So yet again another wanna be anon trying to put their world view out for the public to see. I give them points for the hack but take away points for the message. It seems more and more these hackers are not trying to secure the web for future use. It appears that they only do what they do to spread their personal message w/o thinking of the consiquences. How many kids were on Tumblr? How many elderly following their grandchildrens blogs? The same message could have been gotten across with A LOT less profanity.

Are you one of the tumblrs that was broken hearted by this?

Tygerstrike said:

@Corrosive

No actually. I dont blog. I just feel that these ppl who hack legitimate online businesses in order to spread their own world view are lower then scum. My questions remain valid despite your sarcasm. How many kids were reading their BFF blog? To put that level of profanity up for all to see simply because you disagree with a website, is not only counter productive, but just crass. Just because you may have the skill set to accomplish something, doesnt mean you should.

captaincranky captaincranky, TechSpot Addict, said:

Truth to tell, all I've ever seen from Tumblr is redistributed amateur porn, and that was before the attack....:eek:

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.