Security & Mobility Now
Security is top-of-mind everywhere, especially right here where Juniper experts share their thoughts on the latest security breakthroughs and product advancements
KyleAdams

A Few Words on Tumblr's Troll Hack

by Juniper Employee on ‎12-04-2012 12:11 PM

Yesterday, security media were astir about a quickly spreading worm on popular micro-blogging site Tumblr by long-time trolling collective GNAA. The worm caused several thousand Tumblr accounts to display a profane message.

 

Recipe for mass infection

 

While there is still significant speculation as to exactly how the trolling group compromised the website, my take is that it was likely a cross-site scripting (XSS) vulnerability, allowing the attackers to execute JavaScript when someone viewed the post. I believe it was possibly through an obscure field (such as embedded content, tags, etc.) that was vulnerable versus the actual post body. When someone viewed the infected post, the JavaScript posted the same infected message to any other Tumblrs associated with the currently logged in user. Normally users would have to willingly choose to send the letter to all their friends, but because of the vulnerability in Tumblr, the attackers were able to send it to all the users' friends automatically. This allowed the message to be posted to a massive swath of accounts and continue to be reposted over and over again.  All they had to do then was post the message in a single board and wait for it to spread like mad.

 

An interesting combination

 

While a XSS vulnerability itself is likely not very sophisticated and a weakness that can be found in many websites, the way the trolls leveraged it is interesting. Typically attackers either target end users via exploits like phishing, a drive-by-download or vulnerabilities in servers through a known exploit that can then be used to transmit the worm to other servers susceptible to the same exploit.

 

What we see in the Tumblr case is different. It is not exactly targeted at end users, and it's not exactly targeted at the server either. In this case, the worm exists in the application only. It lives and thrives inside the architecture created by the developers. If the site didn’t have end users, the worm wouldn’t spread. If the application worked differently, the exploit wouldn’t work either. It was the combination – vulnerability in a service that encouraged sharing and the existence of user accounts – that made it possible.

 

For shock not profit

 

Further, it’s interesting to think about the internet trolling community as a more active entrant into the world of web hacking. While previous groups like Lulz Security were potentially out to hack websites for recreation, they were not trolls who look to incite strong reactions from the online community. It will be interesting to watch which trolling groups use this method with increasing regularity.

 

Luckily, the motives of this attack were to shame members of Tumblr versus something more malicious.

However, more troubling, the virus could have been authored to actually infect end users it came in contact with. Given the volume of exposed users, this could have been extremely destructive.

This attack should serve as a wakeup call to other organizations as well as Tumblr. The cost of lax security could result in epidemic malware infections, leaving no one but organizations themselves responsible. Protecting web applications should be a priority for any organization – particularly those with a large online presence.

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About Security & Mobility Now

Discussing a wide range of topics impacting enterprises and
data center security.

Subscribe RSS Icon

Our Bloggers

Kyle Adams
Senior Software Engineer

Profile | Subscribe

Ritesh Agrawal
Director
Software Engineering

Profile | Subscribe

Erin K. Banks
Senior Technical Marketing Manager

Profile | Subscribe

Ajay Bharadwaj
Product Manager

Profile | Subscribe

Michael Callahan
Vice President
Product Marketing

Profile | Subscribe

Scott Emo
Director
Product Marketing

Profile | Subscribe

Mora Gozani
Senior Manager
Product Marketing

Profile | Subscribe

Ashur Kanoon
Sr. Manager
Technical Marketing

Profile | Subscribe

Seema Kathuria
Manager
Product Marketing

Profile | Subscribe

Kevin Kennedy
Senior Director
Product Management

Profile | Subscribe

Dave Killion
Software Engineer

Profile | Subscribe

Rebecca Lawson
Senior Director
Product Marketing

Profile | Subscribe

Rajoo Nagar
Senior Manager
Product Marketing

Profile | Subscribe

Erin O'Malley
Manager
Product Marketing

Profile | Subscribe

Galina Pildush
Strategy & Planning
Architect

Profile | Subscribe

Edward Roberts
Director
Product Marketing

Profile | Subscribe

Bill Shelton
Director Field Sales

Profile | Subscribe

Ashutosh Thakur
Product Line Manager

Profile | Subscribe

Troy Vennon
Software Engineer

Profile | Subscribe

Brad Woodberg
Product Manager

Profile | Subscribe

Labels
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.