Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Tumblr Worm. Show all posts
Web Application Vulnerability
Persistent Cross Site Scripting Security News Stored XSS Vulnerability Tumblr Worm Vulnerability Web Application Vulnerability

Stored XSS vulnerability in Tumblr can be used for Phishing and Malware attack

tumblr stored xss

Recently we reported that the reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability was discovered by a security researcher Janne Ahlberg. Janne says the vulnerability is not yet fixed.

According to his research, It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post).

The vulnerability can be used for launching phishing attacks.  For instance,it would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Attacker could push malicious files from his/her server to Tumblr users.

"Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts."Researcher described one possible attack scenario.

"Once the 'attack blog' would have enough followers, attacker could create a malicious post again with carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start."
Read more »
XSS Vulnerability
Featured Stored XSS Vulnerability Tumblr hacked Tumblr Worm Vulnerability XSS Vulnerability

Tumblr worm spread due to unfixed Stored XSS vulnerability


tumblr worm xss

The day after Tumblr was hit by a "worm" that left many Tumblr websites defaced with an identical message by Internet troll group GNAA, a security researcher has confirmed there is Stored Cross site scripting vulnerability in Tumblr that allowed attackers to hack Tumblr.

According to Naked Security report, the worm appears to took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

If you were not logged into Tumblr when your browser visited the url, it would simply redirect you to the standard login page.

According to some news report, the hackers behind the attack has warned Tumblr weeks ago about a vulnerability. But there is no response from Tumblr.

Tumblr XSS hack
Janne Ahlberg confirmed XSS vulnerability


"I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid." Security researcher Janne Ahlberg confirmed the xss flaw in his blog post.

"A new Tumblr worm could still be possible. See analysis by @JanneFI: http://janne.is/testing-tumblr-worm-root-cause/ … Good example on how XSS vulns are not harmless." Mikko Hyppönen, CRO at F-Secure tweet reads.

*Update* Tumblr is still vulnerable to stored-XSS Read the updated post here 
Read more »
Subscribe to: Posts (Atom)