Stored (Persistent) XSS on tumblr

Tumblr is vulnerable to a Stored (persistent) Cross Site Scripting Vulnerability, which I disclosed to them around 3 weeks ago, but it looks like its still not fixed.

Tumblr, stylized as tumblr., is a microblogging platform and social networking website, owned and operated by Tumblr, Inc. The service allows users to post multimedia and other content to a short-form blog, named a “tumblelog”. Users can follow other users’ blogs, as well as make their blogs private.Much of the website’s features are accessed from the “dashboard” interface, where the option to post content and posts of followed blogs appear. [Source: Wikipedia]

Last I checked, tumblr has 63.7 Million Blogs and 27 Billion Posts [] and which is why it is very discomforting to find an issue like XSS on a site that is ranked 35 on Alexa.

For the newbies, Cross Site Scripting is a vulnerability that arises if an application does not sanitize user input and sends it back to the browser without removing/encoding malicious characters. Malicious characters are any set of characters that a browser can use to render HTML or script content (,”,/> etc..). So, instead of displaying the user input, the browser will render/execute it depending on whether the input was HTML tagged content or script content.

XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user’s browser using automated frameworks like BeEF and download and execute exploits on the victim’s computer. Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page. Several XSS based worms have been created in the past that have caused a lot of trouble on popular websites like Myspace and Orkut.

I will wait another week before posting the technical details here, in the mean time here are some screenshots for the curious:

Update [14 July 2012]:Tumblr has fixed the Stored XSS vulnerability, so here are the technical details as promised.

The XSS issue was on the  “Register Application” page at The application was not sanitizing user input when a user would create a new application. An XSS attack vector like tester”><img src=”x” /> would trigger an alert box, displaying the user’s cookie, in the browser.

Great work on the part of the Tumblr Security team in getting this fixed. I only hope they don’t wait 3 weeks before fixing something like this the next time.