Tumblr haunted by stored (persistent) XSS flaw

Tumblr users are sitting ducks for cookie theft, malicious site redirection and script execution attacks.

A security researcher has posted evidence of a serious cross-site scripting vulnerability on Tumblr, the popular micro-blogging site used by millions.

Technical details on the flaw, described as a stored (persistent) XSS issue, is being withheld by Riyaz Walikar, the researcher who found the issue.

follow Ryan Naraine on twitter

Walikar said he disclosed the issue to Tumblr on June 25, 2012 but the vulnerability still exists, putting millions of web surfers at risk of malicious hacker attacks.

"XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer. Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page," Walikar warned in a blog post that discusses the flaws.

The blog post contains two screenshots to demonstrate the XSS flaws.