There appears to be a worm impacting many Tumblr websites, defacing pages with an identical message.
The message, was posted alongside an image of a man and the logo of a group called the “GNAA”.
The “GNAA”, the Gay N***** Association of America, is an association of internet trolls that seems to have a particular delight in winding up bloggers with racist posts.
At the time of writing, Tumblr does not appear to have said anything about the problem. However, many Tumblr users have turned to other social media outlets to share their concerns that they have been hit by a worm.
For instance, news website The Verge told its readers that its Tumblr had fallen victim to the hack:
Yes, our Tumblr appears to have been hacked. We're taking care of this — and we recommend staying away from those nasty links.
— The Verge (@verge) December 3, 2012
The hack is still being investigated, and we’ll update this article as we find out more. In the meantime, however, we would recommend that internet users do not visit Tumblr sites – in particular if they run their own Tumblr page and are logged into the site as this is a possible method through which the attack could be spread.
Of course, Tumblr isn’t the first social media site to be hit by a fast-spreading worm. For instance, a couple of years ago Twitter was widely hit by a worm that exploited cross-site-scripting (XSS) vulnerability.
See also: How the Tumblr worm spread so quickly
Update: Tumblr has now issued a statement about the security problem:
We are aware that there is a viral post circulating on Tumblr. We are working to resolve the issue as swiftly as possible. Thank you.
— tumblr dot com the website and app (@tumblr) December 3, 2012
When I tried to post to Tumblr from a test account I was presented with the following message, which may indicate that Tumblr has temporarily disabled posting to prevent the worm from spreading further:
Further update: Tumblr says that it has now resolved the issue:
Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.
— tumblr dot com the website and app (@tumblr) December 3, 2012