Hackers attack Tumblr with worm
A post on Tumblr Monday morning that began, “Dearest ‘Tumblr’ users,” turned out to be a worm that infected close to 9,000 accounts on the popular micro-blogging site before Tumblr engineers fixed the problem.
“Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thank you for your patience,” Tumblr staffers tweetedat 10:24 a.m. PST.
If you clicked on the post, a dialogue box popped up asking whether to stay on the page or navigate away. Clicking either option repeatedly reblogged the post on your own account.
A group of Internet trolls called the GNAA took credit for the worm, which filled infected Tumblrs with racist spam. The GNAA was apparently targeting Tumblr’s so-called “bronies,” or fans of “My Little Pony Friendship is Magic.” In a press release announcing the hack, the GNAA (an acronym we will not spell out due to its offensive nature) called the worm part of a “brony-removal drive.”
The spam message warned that deleting the posts will delete your Tumblr account, but that turned out to be false. Buzzfeed advised owners of infected accounts to close all Tumblr tabs, then reopen the Dashboard and delete the spam posts.
There is no evidence to suggest that the worm stole any passwords, but changing yours as a precaution is a good idea.
Tumblr on Monday afternoon announced that it has fixed the security vulnerability, an unsecured video embedding script, that allowed the GNAA worm to replicate across so many accounts.
This isn’t the first time the GNAA has attacked a popular website. Wikipedia, Barack Obama, and CNN have all been the targets of GNAA’s ire. The group uses “crapflooding,” or spamming a site with repeated words and phrases, as a trolling tactic.
The GNAA was involved in a 2010 leak of e-mail addresses associated with iPad pre-orders from AT&T’s website. The president of the GNAA, Andrew “Weev” Auernheimer, was arrested and convicted of two felonies following that breach.
This article was updated at 2:51 p.m. PST with information about Tumblr's security patch from IDG News Service.