This vulnerability could put millions of web surfers at risk of malicious user attacks.
The affected file was located at http://assets.tumblr.com/assets/scripts/tumblelog_iframe.js.
A couple of variables (name and title) weren't properly sanitized within the source location.hash. So basically anyone could explore it by injecting HTML and launching a reflected DOM XSS attack - https://www.owasp.org/index.php/DOM_Based_XSS.
Vulnerable code:
(...)Proof-of-concept:
if (v) {
v.innerHTML = decodeURIComponent(e.get.name)
}
(...)
document.getElementById("name").innerHTML = r;
document.getElementById("title").innerHTML = decodeURIComponent(x).replace(/\+/g, " ");
(...)
http://assets.tumblr.com/assets/html/iframe/o.html?_v=0e885d75acad691664be152f8a0af5b0#src=http%3A%2F%2Fstatus.soundcloud.com%2Fpost%2F55089207412%2Fmaintenance-tomorrow-morning&pid=55089207412&rk=Obe5imR3&lang=en_US&name=soundcloudstatus%3Cimg%20src=x%20onerror=prompt%281%29;%3E&avatar=http%3A%2F%2F24.media.tumblr.com%2Favatar_d06f17cd8eb4_64.png&title=SoundCloud+Status&url=http%3A%2F%2Fstatus.soundcloud.com%2F&page_slide=slide
You didn't even need to be authenticated in Tumblr.
Tumblr patched it by using a sanitize function in the Javascript file:
(...)It took more than two months to fix this reflected DOM XSS. And this isn't the first time that Tumblr ignores this kind of vulnerability. On June 25, 2012 the researcher Riyaz Walikar found and published a persistent XSS (http://www.riyazwalikar.com/2012/07/stored-persistent-xss-on-tumblr.html) that was only patched by Tumblr when it got public. They ignore his emails disclosing the vulnerability.
document.getElementById("name").innerHTML=_t.sanitize(r,true);
document.getElementById("title").innerHTML=_t.sanitize(x,true).replace(/\+/g," ");
(...)
I really hope that in the future Tumblr patches this kind of security issues faster.
Timeline:
11 Jul 2013: Reported to Tumblr
11 Jul 2013: Tumblr reported that they're looking into it
17 Jul 2013: I asked for an update
17 Jul 2013: Tumblr reported again that they're looking into it
06 Aug 2013: I asked for other update
13 Aug 2013: Tumblr reported that they reviewed the exploit and were taking appropriate actions on their end
20 Set 2013: I noticed that the security issue was fixed and never got any reply.
24 Set 2013: Full disclosure