Tumblr worm spread due to unfixed Stored XSS vulnerability


tumblr worm xss

The day after Tumblr was hit by a "worm" that left many Tumblr websites defaced with an identical message by Internet troll group GNAA, a security researcher has confirmed there is Stored Cross site scripting vulnerability in Tumblr that allowed attackers to hack Tumblr.

According to Naked Security report, the worm appears to took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page.

According to some news report, the hackers behind the attack has warned Tumblr weeks ago about a vulnerability. But there is no response from Tumblr.

Tumblr XSS hack
Janne Ahlberg confirmed XSS vulnerability


"I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid." Security researcher Janne Ahlberg confirmed the xss flaw in his blog post.

"A new Tumblr worm could still be possible. See analysis by @JanneFI: http://janne.is/testing-tumblr-worm-root-cause/ … Good example on how XSS vulns are not harmless." Mikko Hypp√∂nen, CRO at F-Secure tweet reads.

*Update* Tumblr is still vulnerable to stored-XSS Read the updated post here