Tumblr troubled by trojan text - Update
An outbreak of a worm on Tumblr, the microblogging platform, hit many accounts by taking advantage of the platform's reblogging capability. The payload of the worm was the publication of a posting angrily explaining how the worm's authors hated Tumblr users, was analysed by Sophos which noted that the malicious code was embedded mostly as a Base64-encoded string hidden within a data URI. Once decoded and executed, it would pull code and content from another website.
The code would direct users to a login page if they were not logged into Tumblr at the time, but if they were logged in, it would reblog the message in the user's account. As the message contained the malicious code, the worm was spread through the reblogging. As an extra factor for confusion, on leaving the page, it was possible that the malicious code would display a dialog claiming Tumblr would be down for maintenance for several hours.
Tumblr confirmed the worm was spreading early on and within a couple of hours announced they had the worm breakout under control. But the problem demonstrates, yet again, the importance of cleaning and validating text input into web applications and ensuring that output text is not in a position to be executable by user's browsers. This is doubly important for social media and sharing sites where the systems are akin to a petri dish for self-replicating code.
Update - Janne Ahlberg, a security researcher and pentester, says that according to a quick test he made on Tumblr, the root cause of the problem, allowing the injection of the malicious code initially, has not been fixed. Until it is, Tumblr is still at risk of being over-run by reblogging worms.