Tuesday, September 24, 2013

Tumblr got DOM XSSed

When using this awesome blog platform - which hosts more than 138,4 million blogs - I come across a vulnerability that could be used my malicious users to a variety of illegal activities (steal user credentials, spread malware, spamming, etc).
This vulnerability could put millions of web surfers at risk of malicious user attacks.

The affected file was located at http://assets.tumblr.com/assets/scripts/tumblelog_iframe.js.
A couple of variables (name and title) weren't properly sanitized within the source location.hash. So basically anyone could explore it by injecting HTML and launching a reflected DOM XSS attack - https://www.owasp.org/index.php/DOM_Based_XSS.

Vulnerable code:
(...)
if (v) {
v.innerHTML = decodeURIComponent(e.get.name)
}
(...)
document.getElementById("name").innerHTML = r;
document.getElementById("title").innerHTML = decodeURIComponent(x).replace(/\+/g, " ");
(...)
Proof-of-concept:
http://assets.tumblr.com/assets/html/iframe/o.html?_v=0e885d75acad691664be152f8a0af5b0#src=http%3A%2F%2Fstatus.soundcloud.com%2Fpost%2F55089207412%2Fmaintenance-tomorrow-morning&pid=55089207412&rk=Obe5imR3&lang=en_US&name=soundcloudstatus%3Cimg%20src=x%20onerror=prompt%281%29;%3E&avatar=http%3A%2F%2F24.media.tumblr.com%2Favatar_d06f17cd8eb4_64.png&title=SoundCloud+Status&url=http%3A%2F%2Fstatus.soundcloud.com%2F&page_slide=slide


You didn't even need to be authenticated in Tumblr.

Tumblr patched it by using a sanitize function in the Javascript file:
(...)
document.getElementById("name").innerHTML=_t.sanitize(r,true);
document.getElementById("title").innerHTML=_t.sanitize(x,true).replace(/\+/g," ");
(...)
It took more than two months to fix this reflected DOM XSS. And this isn't the first time that Tumblr ignores this kind of vulnerability. On June 25, 2012 the researcher Riyaz Walikar found and published a persistent XSS (http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html) that was only patched by Tumblr when it got public. They ignore his emails disclosing the vulnerability.

I really hope that in the future Tumblr patches this kind of security issues faster.

Timeline:
11 Jul 2013: Reported to Tumblr
11 Jul 2013: Tumblr reported that they're looking into it
17 Jul 2013: I asked for an update
17 Jul 2013: Tumblr reported again that they're looking into it
06 Aug 2013: I asked for other update
13 Aug 2013: Tumblr reported that they reviewed the exploit and were taking appropriate actions on their end
20 Set 2013: I noticed that the security issue was fixed and never got any reply.
24 Set 2013: Full disclosure

2 comments:

  1. where u reported the vulnerability for tumblr.com and did u got any reward for that?

    ReplyDelete
    Replies
    1. Hi,

      I reported to this email account - support at tumblr dot com and no I didn't received any reward. I didn't even received a thank you note...

      Delete