Tumblr Cross Site Scripting Vulnerability Discovered, Can Be Used to Spread Worms

When hackers discover website vulnerabilities, they take advantage of it to spread viruses and malware to an unsuspecting audience. When some pretty good people discover them, they take the time to inform the website's administrators so they can correct or patch them before the former group has a chance to exploit the vulnerabilities.

Two security researchers, Aditya Gupta (@adi1391) and Subho Halder (@sunnyrockzzs), belong to the latter group. They came across a cross site scripting vulnerability on social networking and blog site Tumblr, which could be used to steal cookies of authenticated users and exploited to make and spread worms and viruses.

We have also tried to contact them via Twitter and mail earlier, but no response from their side. So we have decided to release it. Well, not exactly, where the vulnerability is, but just to let them know that it is vulnerable.

-- Aditya Gupta and Subho Halder

Tumblr better get back to them fast and act on this matter before it goes out of hand. This is another instance where the popular site has been targeted by cyber criminals, with the previous one being the phishing scam where old login pages of the site were used to steal users' passwords.