On Monday morning, the notorious anti-blogging trolling hacker group GNAA hacked Tumblr, propagating a worm in the disguise of a racist spam message urging users to kill themselves.
The original target appears to have been the “brony” tag on tumblr—bronies being the adult, male fans of the children’s show My Little Pony: Friendship Is Magic. The first Tumblrs that were infected, including the Internet culture site the Daily Dot, used the brony tag, and from there, it seems, thousands of other Tumblrs fell victim, including those belonging to USA Today, the Verge, and Reuters. In a press release announcing today’s attack (warning: click at your own risk), GNAA insults brony culture with racist, inflammatory language typical of trolls, before mentioning an upcoming “brony-removal drive.”
The group claims to have infected 8,600 individual Tumblrs with the worm.
GNAA is a trolling group that has been around since 2002, and in that time it has targeted everyone from conspiracy theorist Alex Jones and CNN to Barack Obama’s campaign websites. Internet watchers may remember the name GNAA when the group pranked media outlets during Hurricane Sandy with fake tweets claiming that they were looting evacuated houses. (One fake tweet, for instance, had a member stealing a cat.) As a trolling group, the GNAA has no real defined mission, other than to wreck havoc on the Internet.
In a Twitter DM exchange, GNAA’s Interim Vice President @Ms_meepsheep told me he or she had uncovered the vulnerability about a month ago that allowed them to spam this image. The attack itself took about a week of planning which included “a massive phishing scam by sister troll group #dongforce.”
Some outlets have speculated the Tumblr hack is related to the video embed field on Tumblr, but @Ms_meepsheep says it exploits vulnerabilities in “multiple fields, including all mobile post fields.” He or she continued, “Lazy developers, far too incompetent to sanitize input, are the ones to blame. As long as web developers do not care about their users, hackers (or script kiddies depending on point if view) will be there to exploit their errors. Expect more fun from the GNAA in the future. …”
@Ms_meepsheep claims Tumblr actually knew about these vulnerabilities “damn well in advance,” as he or she has “emails sent to cloudfare that prove this.” When pressed for more information, @Ms_meepsheep claims “Tumblr emailed cloudfare over a box that was exploiting this before the final hit today,” before directing me to an Encyclopedia Dramatica article (think Wikipedia for Internet phenomena—and NSFW*) containing an email from Tumblr employee Christopher Price.
As of Monday afternoon, Tumblr reports that everything is back to normal.
*This post was updated at 2:30 Eastern to note that Encyclopedia Dramatic may be NSFW.