Tumblr hacked?

If you suspect a site has been compromised, wouldn't a better approach be to submit this as a text article explaining your reasons rather than linking to the affected site? Depending on the nature of the hack, the title could easily have been:<p><pre><code> Was Tumblr hacked in order to do drive-by malware installs? (tumblr.com) </code></pre> Now everyone who clicks is potentially at risk.

Keeping an eye on this. The post in question looks like this:<p><a href="https://dl.dropbox.com/u/58607934/Screen%20Shot%202012-12-03%20at%2010.31.27%20AM.png" rel="nofollow">https://dl.dropbox.com/u/58607934/Screen%20Shot%202012-12-03...</a><p>It has nailed a number of major accounts, including The Verge, USA Today, Reuters and The Daily Dot.<p>Buzzfeed has tips on how to keep safe: <a href="http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-security-hole-in-tumblr" rel="nofollow">http://www.buzzfeed.com/ryanhatesthis/hacker-group-exploits-...</a><p>Update: The GNAA says that the hack was part of an anti-blogging campaign.<p>&#62; This was just another part of our "anti-blogging" campaign. GNAA's stance on blogging in general has always been a negative one: in short, blogging is lowering journalistic standards to the point where the number of friends a murderer has on Facebook has become news.<p><a href="http://www.guardian.co.uk/technology/2012/dec/03/tumblr-cyber-worm-anti-blogging" rel="nofollow">http://www.guardian.co.uk/technology/2012/dec/03/tumblr-cybe...</a>

Yep. <a href="http://www.businessinsider.com/tumblr-hacked-2012-12" rel="nofollow">http://www.businessinsider.com/tumblr-hacked-2012-12</a><p>tl;dr: if you have a Tumblr account (and an active session), delete your cookies before opening any *.tumblr.com site.

The exploit uses a "data-uri script tag" in the video embed field. In other words, it runs some sort of script through the section of the site that's supposed to only allow video embed codes from sites like YouTube and Vimeo. A pretty serious security hole.

Looks like a Base64-encoded JS URI in the video player URL. Somewhat sneaky. How it ends up redirecting the page to a reblog URL isn't clear. <a href="https://gist.github.com/4196142" rel="nofollow">https://gist.github.com/4196142</a>

Hacking vector was fixed: <a href="https://twitter.com/tumblr" rel="nofollow">https://twitter.com/tumblr</a><p><i>Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.</i>

Looking at the other comments, this seems like basic CSRF to me.

Nothing particularly interesting seems to have actually happened. Some posts got onto the Dashboard, which was still running. In fact, everything was still working just fine.<p>Script kiddies found a small crack and went for it.