Yesterday, security media were astir about a quickly spreading worm on popular micro-blogging site Tumblr by long-time trolling collective GNAA. The worm caused several thousand Tumblr accounts to display a profane message.
Recipe for mass infection
An interesting combination
While a XSS vulnerability itself is likely not very sophisticated and a weakness that can be found in many websites, the way the trolls leveraged it is interesting. Typically attackers either target end users via exploits like phishing, a drive-by-download or vulnerabilities in servers through a known exploit that can then be used to transmit the worm to other servers susceptible to the same exploit.
What we see in the Tumblr case is different. It is not exactly targeted at end users, and it's not exactly targeted at the server either. In this case, the worm exists in the application only. It lives and thrives inside the architecture created by the developers. If the site didn’t have end users, the worm wouldn’t spread. If the application worked differently, the exploit wouldn’t work either. It was the combination – vulnerability in a service that encouraged sharing and the existence of user accounts – that made it possible.
For shock not profit
Further, it’s interesting to think about the internet trolling community as a more active entrant into the world of web hacking. While previous groups like Lulz Security were potentially out to hack websites for recreation, they were not trolls who look to incite strong reactions from the online community. It will be interesting to watch which trolling groups use this method with increasing regularity.
Luckily, the motives of this attack were to shame members of Tumblr versus something more malicious.
However, more troubling, the virus could have been authored to actually infect end users it came in contact with. Given the volume of exposed users, this could have been extremely destructive.
This attack should serve as a wakeup call to other organizations as well as Tumblr. The cost of lax security could result in epidemic malware infections, leaving no one but organizations themselves responsible. Protecting web applications should be a priority for any organization – particularly those with a large online presence.
Discussing a wide range of topics impacting enterprises and data center security.