Search This Blog

Powered by Blogger.

Blog Archive

Labels

Stored XSS vulnerability in Tumblr can be used for Phishing and Malware attack

The reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability is not yet fixed.
tumblr stored xss

Recently we reported that the reason behind the Tumblr reblog attack is Stored cross Site scripting(XSS) vulnerability. The vulnerability was discovered by a security researcher Janne Ahlberg. Janne says the vulnerability is not yet fixed.

According to his research, It is possible to embed JavaScript and some other HTML tags to certain Tumblr post types (e.g. video post).

The vulnerability can be used for launching phishing attacks.  For instance,it would be quite easy to ask input from user in various ways. User input could be stored to attackers server. Attacker could push malicious files from his/her server to Tumblr users.

"Attacker could create several Tumblr accounts and start blogging viral or popular videos using well chosen tags. Trust and popularity could be increased by using other accounts for reblogging video posts."Researcher described one possible attack scenario.

"Once the 'attack blog' would have enough followers, attacker could create a malicious post again with carefully selected tags. If the followers would reblog a malicious post, the spreading of payload would start."
Share it:

Persistent Cross Site Scripting

Security News

Stored XSS Vulnerability

Tumblr Worm

Vulnerability

Web Application Vulnerability