Massive worm hits Tumblr, spams big blogs like USA Today

Hacker group GNAA claims responsibility for the attack and says 8,600 unique Tumblr users were affected -- but by midmorning, Tumblr said it had resolved the issue.

Shara Tibken Former managing editor

Shara Tibken was a managing editor at CNET News, overseeing a team covering tech policy, EU tech, mobile and the digital divide. She previously covered mobile as a senior reporter at CNET and also wrote for Dow Jones Newswires and The Wall Street Journal. Shara is a native Midwesterner who still prefers "pop" over "soda."

See full bio

Shara Tibken

Dec. 3, 2012 8:49 a.m. PT

3 min read

The Verge is one Tumblr site hit by a massive worm. Screenshot by Benjamin Dreyfuss/CNET

A massive bug swept Tumblr today and infected some of the biggest blogs -- including USA Today, Reuters, The Verge, and CNET -- until Tumblr resolved the issue shortly before 10:30 a.m. PT.

GNAA, a hacker group, claimed responsibility for the attack. The group's Twitter profile earlier today said 8,600 unique Tumblr users were affected.

Tumblr didn't explain what happened but said in a blog post that no accounts were compromised, and users didn't need to take any further action.

"Our sincere apologies for the inconvenience," the company said. "As always, we are going to great lengths to make sure this type of abuse does not happen again."

Hacker group GNAA has claimed responsibility for the Tumbler attack. Screenshot by Shara Tibken/CNET

When the viral post first started circulating, Tumblr advised users to immediately log out of all browsers that might have been using Tumblr. It also said its engineers were working to resolve the issue as swiftly as possible.

A spokeswoman later updated CNET at about 10:30 a.m. PT, saying Tumblr engineers "resolved the issue of the viral post attack that affected a few thousand Tumblr blogs earlier today."

When visiting an infected Tumblr site, users would see an expletive-laden post urging them to commit suicide. The spam also said deleting the post would delete the user's Tumblr account. Visitors also saw a pop-up asking them to confirm they wanted to leave the page.

Tumblr visitors see a pop-up along with spam on the site pages. Screenshot by Benjamin Dreyfuss/CNET

Sophos, a provider of security software and hardware, including antivirus products, thinks it has figured out how the worm spread so quickly on Tumblr. The firm noted in a blog post that the worm appeared to take advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.

Sophos noted that each affected post had malicious code embedded inside, and it spread sort of like a Web virus. Chester Wisniewski, a Sophos senior security adviser, said someone found a way to bypass Tumblr's filters by possibly hijacking a legitimate message from Tumblr about site maintenance.

He added that such an attack could have been prevented, and that the situation has happened to many other social media sites. Programmers build Web pages that can't be hacked, but there are also tens of thousands of ways to inject code on a page, he said. Sometimes it's difficult for newer companies to identify and plug all of those holes.

"It was preventable, but this type of thing happens to most social media sites at some point in their youth," Wisniewski told CNET. "Hopefully, Tumblr will learn and lock its site down tighter, and we don't [sic] see it happen again."

Cybersecurity has increasingly been a concern for social media, blogs, and other online outlets. The worm by GNAA is only the latest example of such an attack.

Art Coviello, executive chairman of EMC's RSA security business, today made some predictions about the security landscape for 2013. Among his expectations is that hackers will get more sophisticated and national governments will continue to fail to make legislation on rules of evidence and information sharing, as well as reform privacy laws.

In addition, he expects "attack surfaces to continue to expand and any remaining semblance of a perimeter will continue to wither away."

Ultimately, Coviello said, it's "highly likely that a rogue nation state, hacktivists or even terrorists will move beyond intrusion and espionage to attempt meaningful disruption and, eventually, even destruction of critical infrastructure."

The comments are similar to those from John "Mike" McConnell, who served as director of the National Security Agency under President Bill Clinton and then as director of national intelligence under presidents George W. Bush and Barack Obama. He told the Financial Times that the U.S. faces the "cyber equivalent of the World Trade Center attack" unless urgent action is taken.

Updated at 10:40 a.m. PT with news about the issue being resolved, analysis by Sophos, and predictions from RSA's Art Coviello, and again at 2:50 p.m. PT with Tumblr's blog post about the incident and comments from a Sophos senior security adviser.