Tumblr's troll: A wake-up call for social networks
Kyle Adams, chief software architect, Mykonos at Juniper Networks
Social networking sites are becoming victims of their own success.
Hundreds – even thousands – of users can share information faster than ever before, providing a more connected world. However, as more people use these sites, they become an attractive target for hackers. Most recently, we saw a relatively new style of exploit on the popular Tumblr blogging platform infecting the web application itself with a self-replicating worm.
It wasn't too long ago when attackers only had two primary targets: applications hosted on servers running in remote locations and user machines that accessed those applications. The infamous Code Red and ILOVEYOU worms infected servers and clients respectively. However, changes in the security landscape have made these targets less attractive for worms. Due to the mass adoption of strong anti-virus products, worms are far less likely to have the reach and impact they had in the past.
As servers and clients become less attractive for hackers, a new target has emerged: social networking. Clients and servers generally represent actual dedicated pieces of hardware sitting in a physical location, but social networking applications have created an entirely new environment – where a virtual collection of interconnected data records are housed in a large database. Social network user accounts are not applications in themselves and can't communicate with the outside world. They're just data that, when visualized, have a striking resemblance to what one might expect to see from a network map of target servers and clients.
While social networking accounts generally can't “run” code, they can influence the content displayed to machines in a host application, such as a browser, which absolutely can run code. While more difficult, this allows attackers to inject code into the data of a user account on a social network, which when displayed to another user, executes code through cross-site scripting (XSS). That code can then take actions on the visiting user's account within the social network. Anti-virus software is unable to detect such activity because the user accessing the social networking application, as well as the server hosting the application, are never technically infected. The server provides the environment, the users act as intermediary carriers of the worm, and the actual victim is pure data records in a database.
Tumblr's recent troll hack is a great large-scale example of this type of attack. Hacking collective GNAA created a worm designed to exploit a combination of web vulnerabilities to allow an infected post to hijack the sessions of authenticated Tumblr users who viewed the worm's message. The message only needed to be posted on a handful of accounts with a large social following. Once regular visitors of those accounts viewed the message, their accounts were infected as well.
Tumblr's actual web server and user accounts were never compromised. We're talking about purely virtual data, which in Tumblr's case was quickly sanitized to eradicate all instances of the infectious code. Once the original vulnerability that enabled a post to execute code in a visiting browser was patched, the worm quickly died.
What makes this type of worm so powerful is that it doesn't need to be obvious, and it doesn't need to be benign. Imagine if the Tumblr worm was a little more elegant with its propagation and instead of posting inflammatory messages to offend large groups of users, reposted legitimate messages from the victim's account.
If the worm contained a second payload intended to compromise the end user's desktop machine in addition to propagating to other accounts, it could not only infect a large number of accounts, but also compromise the machines of all the visitors to those accounts. Gone are the days of email propagation of threats – disseminating a harmful worm via many thousands of popular and trusted pages is far more efficient and viable.
It's important for social networking companies to prepare themselves for such an attack. If successful, the platform used to disseminate a highly damaging worm would be liable for any damages. It's the well-known web vulnerabilities like XSS, SQL injection, and cross-site request forgery that even make these types of attacks possible. At this stage, it's just not credible for a large scale public website to allow such vulnerabilities to go unnoticed and unpatched. Fortunately for Tumblr, and prior victims including MySpace and Twitter, these worms were not destructive in nature.
Social networking success is measured by the number of users. This very measure of success will be social networking's downfall if they fail to secure their websites, and if these types of attacks gain popularity.
The Tumblr incident should serve as a powerful example of the importance of protecting web applications and secure coding practices.