Tumblr says it has addressed a vulnerability which allowed hackers to force visitors into unwittingly reposting an offensive, expletive-ridden message condemning the "tasteless" and "bourgeoisie" blog site. More than 8,600 users were affected -- Cnet, USA Today and The Verge were among prominent accounts affected -- but Tumblr assures users that no accounts have been compromised.
The message itself begins, "Dearest 'Tumblr' users." The rest of the post derides Tumblr for being a waste of time (isn't that kind of the point?) and insists its "emo" users should "drink bleach and die". The message also scared users out of deleting it, claiming doing so would also delete that user's account.
Although Tumblr hasn't (and likely won't) spill the gory details of the attack, security experts believe hackers discovered a method for doing something they ought not be able to do: the insertion of JavaScript code into Tumblr posts. Experts speculate the site fell prey the same old trick that other young social networking startups have, which is unscrupulous users embedding malicious Base64-encoded JavaScript to trigger a cross-site scripting attack.
Once the code was inserted into a Tumblr comment, Internet browsers would interpret and render that code as part of the page, obscuring legitimate content with the hackers' crude message. That code then propagated itself by exploiting Tumblr's "reblog" feature, forcing visitors to unknowingly repost their own copy of the profanity-filled message.
The hacktivists claiming responsibility for the incident identify themselves as the GNAA. If you're wondering what that stands for, let's just say the innocuous abbreviation is every bit as profane as their message.
The GNAA claims their recent Tumblr attack was prompted by "lowering journalistic standards" and what is essentially shoddy programming.
This was just another part of our "anti-blogging" campaign. GNAA's stance on blogging in general has always been a negative one: in short, blogging is lowering journalistic standards to the point where the number of friends a murderer has on Facebook has become news.
Tumblr is a blogging website whose employees we have found, time and time again, to put the safety of their users second to their revenue. Instead of hiring competent, dedicated staff, they hire part-time programmers who can't even defend against the most basic of security issues, such as XSS. I mean, for chrissake, they don't even throttle (or the threshold is ridiculously high) the number of posts per minute a user is allowed to make! Blogging services everywhere need to step up and hire people who know what they're doing.
Source: Guardian.co.uk, GNNA spokesman
It has been suggested that Tumblr was warned of the vulnerability by GNAA hackers weeks ago.
![hellokitty[hk]](/community/data/avatars/m/169/169488.jpg?1355088591){kind=avatar}
