Yesterday, security media were astir about a quickly spreading worm on popular micro-blogging site Tumblr by long-time trolling collective GNAA. The worm caused several thousand Tumblr accounts to display a profane message.

Recipe for mass infection

While there is still significant speculation as to exactly how the trolling group compromised the website, my take is that it was likely a cross-site scripting (XSS) vulnerability, allowing the attackers to execute JavaScript when someone viewed the post. I believe it was possibly through an obscure field (such as embedded content, tags, etc.) that was vulnerable versus the actual post body. When someone viewed the infected post, the JavaScript posted the same infected message to any other Tumblrs associated with the currently logged in user. Normally users would have to willingly choose to send the letter to all their friends, but because of the vulnerability in Tumblr, the attackers were able to send it to all the users' friends automatically. This allowed the message to be posted to a massive swath of accounts and continue to be reposted over and over again.  All they had to do then was post the message in a single board and wait for it to spread like mad.

An interesting combination

While a XSS vulnerability itself is likely not very sophisticated and a weakness that can be found in many websites, the way the trolls leveraged it is interesting. Typically attackers either target end users via exploits like phishing, a drive-by-download or vulnerabilities in servers through a known exploit that can then be used to transmit the worm to other servers susceptible to the same exploit.

What we see in the Tumblr case is different. It is not exactly targeted at end users, and it's not exactly targeted at the server either. In this case, the worm exists in the application only. It lives and thrives inside the architecture created by the developers. If the site didn’t have end users, the worm wouldn’t spread. If the application worked differently, the exploit wouldn’t work either. It was the combination – vulnerability in a service that encouraged sharing and the existence of user accounts – that made it possible.

For shock not profit

Further, it’s interesting to think about the internet trolling community as a more active entrant into the world of web hacking. While previous groups like Lulz Security were potentially out to hack websites for recreation, they were not trolls who look to incite strong reactions from the online community. It will be interesting to watch which trolling groups use this method with increasing regularity.

Luckily, the motives of this attack were to shame members of Tumblr versus something more malicious.

However, more troubling, the virus could have been authored to actually infect end users it came in contact with. Given the volume of exposed users, this could have been extremely destructive.

This attack should serve as a wakeup call to other organizations as well as Tumblr. The cost of lax security could result in epidemic malware infections, leaving no one but organizations themselves responsible. Protecting web applications should be a priority for any organization – particularly those with a large online presence.