It seems like the first large blog to go down this morning belonged to The Daily Dot, which helped spread the infected posts to hundreds, if not thousands, of other blogs. The posts are signed by the GNAA, a notoriously inflammatory hacker group.
The target seems to have been the Tumblr Brony tag, a meeting place for fans of My Little Pony Friendship Is Magic.
First, here's how to avoid getting hacked:
1) Maybe just don't go to Tumblr right now? This will be fixed soon, probably, but the exploit posts are embarrassing, and the more people get infected, the faster they spread.
2) If you DO go to Tumblr, only visit your Dashboard. Don't follow any direct links to Tumblr posts, or visit any Tumblrs directly — that's how this this spreads.
3) If you've been exploited, close all Tumblr tags, reopen your Dashboard, delete all the posts in your mass editor, and change your password. There's no evidence yet that this exploit actually accessed your account, or steals your password, but at this point it's probably still a good idea.
4) If you log out of your Tumblr account, you'll be able to view infected blogs without consequence.
A quick summary of the GNAA:
The Gay Nigger Association of America (GNAA) is an anti-blogging Internet-trolling organization. They have trolled several prominent websites and Internet personalities including Slashdot, Wikipedia, CNN, Barack Obama's campaign website, Alex Jones, and prominent members of the blogosphere. They have also released software products and leaked screenshots and information about upcoming operating systems. In addition, they maintain a wiki-based site dedicated to Internet commentary and a software repository.
GNAA's press release explaining their attack:
GNAA Launches "War on Bronies"
Leon Kaiser, M. P. Sheep, Rory -- Vancouver, Canada
An elite team of GNAA ubernigger supersoldier commandos (each packing 9-to-11 inches of black power) stormed the DHX Media Vancouver headquarters under cover of darkness late last night to commemorate the release of My Little Pony: Friendship is Magic Season 3.
"The New Release of My Little Pony: Friendship is Magic Season 3 marks the third anniversary of this perverse Jewish abomination. The ‘Brony’ movement is an illogical fetish for manchildren. While our previous ‘Brony Outreach’ had been a success", stated GNAA Founder and CEO Niger, "we quickly grew tired of these perverted repugnant manchildren within our ranks."
The GNAA has previously shown their support (via crapflood) of numerous "Brony" entities, including ponychan, derpibooru, wikia, and "fanfiction.net".
Earlier this month the GNAA released a leaked copy of the first episode of My Little Pony: Friendship is Magic Season 3, acquiring the IP addresses of nearly 200 dirty pirating bronies in the process.
"We have had a very successful month thusfar," beamed GNAA Interim President Leon Kaiser, "and it’s only the 10th of the month. We kicked off the month with our very successful #SANDYLOOTCREW operation, making international news on the very first day of the month. Since then, we have relentlessly shown our undying enthusiasm on numerous forums (via the time-honored institution of crapflooding) every day since."
"GNAA operatives are in the middle of plotting of a long ‘brony-removal drive’," grinned GNAA Interim Vice President Meepsheep, "which will include DMCA drives en masse of both YouTube and Twitter."
Here is a screenshot of the racist spam message that spreads the worm:
The blast of messages usually only lasts 10 minutes or so. BuzzFeed has reached out to Tumblr for comment. We'll update if we hear back.
UPDATE: Comment from Tumblr support staff
There is a viral post circulating on Tumblr which begins "Dearest 'Tumblr' users". If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible. Thank you.
And a theory as to how this works:
One developer suggests that the exploit uses a "data-uri script tag" in the video embed field.
In other words, it runs some sort of script through the section of the site that's supposed to only allow video embed codes from sites like YouTube and Vimeo. A pretty serious security hole!
Tumblr says it has resolved the issue. Passwords don't appear to have been compromised — it was more like forced spamming:
Ryan Broderick is a reporter for BuzzFeed News and is based in London.
Contact Ryan Broderick at firstname.lastname@example.org.
Got a confidential tip? Submit it here.