Hack Hack Hack Hack It Apart

Tumblr Inundated With Sea of Malicious Spam; GNAA Claims Responsibility

The spammy message. (Screencap: Tumblr)

The spammy message. (Screencap: Tumblr)

Community managers all over town are dealing with what probably feels like the end of the world right now. We just logged onto our dashboard and discovered that quite a few Tumblrs–most prominently the Verge, as well as USA Today and the Daily Dot–seem to have been hijacked. Your dashboard, like ours, is probably being flooded with this charming message:

Dearest `Tumblr’ users,

We have taken the liberty of upgrading your (rather tasteless, we must say) blog to our premier GNAA Deluxe Gary Niger (pictured to the left) Signed Edition! This is in response to the seemingly pandemic growth and world-wide propagation of the most FUCKING WORTHLESS, CONTRIVED, BOURGEOISIE, SELF-CONGRATULATING AND DECADENT BULLSHIT THE INTERNET EVER HAD THE MISFORTUNE OF FACILITATING.

It goes on in that vein, suggesting emo Tumblr users drink bleach and die.

The language of the post seems to indicate that it’s the work of hacker group “Gay Nigger Association of America.” Plus, here they are on Twitter:

Betabeat has covered the group’s antics before, when they tricked several publications into believing people were looting following Superstorm Sandy. Wikipedia calls them an “anti-blogging Internet-trolling organization.”

The hack is fairly benign, though widespread. It’s a Javascript exploit that immediately reblogs the post to your Tumblr if you hit Okay or Cancel on the dialogue box that pops up. You can get rid of the posts by going into your Tumblr’s mass post editor and deleting them; you’ll also want to change your password as an extra security precaution.

The focal point of the spam began with the Tumblr brony tag, where fans of My Little Pony congregate (hence the fact that The Daily Dot was one of the first Tumblrs to get hit). In a press release, GNAA writes:

An elite team of GNAA ubernigger supersoldier commandos (each packing 9-to-11 inches of black power) stormed the DHX Media Vancouver headquarters under cover of darkness late last night to commemorate the release of My Little Pony: Friendship is Magic Season 3.

“The New Release of My Little Pony: Friendship is Magic Season 3 marks the third anniversary of this perverse Jewish abomination. The ‘Brony’ movement is an illogical fetish for manchildren. While our previous ‘Brony Outreach’ had been a success”, stated GNAA Founder and CEO Niger, “we quickly grew tired of these perverted repugnant manchildren within our ranks.”

Tumblr spokesperson Katherine Barna told Betabeat:

There is a viral post circulating on Tumblr which begins “Dearest ‘Tumblr’ users”. If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible.

Tumblr also tweeted the following message:

We are aware that there is a viral post circulating on Tumblr. We are working to resolve the issue as swiftly as possible. Thank you.

Well, that seems a little like an understatement.

Meanwhile, Tumblr is responding with–what else?–GIFs. From ILoveCharts:

tumblr_megpo1P5HN1qa0uujo1_500

Update (12:27): Looks like the total number of users affected is at least 8,600, though the account @Gary_Niger appears to have deleted tweets boasting about the hack. Might it have something to do with GNAA publicity account @LiteralKa getting suspended from Twitter?

Update (12:33): Gawker reports that GNAA claims to have warned Tumblr about the security exploit weeks ago. GNAA spokesperson Literal Ka told Adrian Chen:

We contacted Tumblr about this weeks ago and nothing came of it. This was a serious issue that needed to be fixed. Someone would have done a lot worse than just posting a message over and over if they didn’t fix it right away…

Betabeat also received a comment from Leon Kaiser, the head of GNAA. He confirms that @Gary_Niger deleted tweets relating to the hack for fear of being suspended by Twitter, elaborating:

The tweets were indeed deleted because we are worried about being suspended from Twitter….This was just another part of our “anti-blogging” campaign. GNAA’s stance on blogging in general has always been a negative one: in short, blogging is lowering journalistic standards to the point where the number of friends a murderer has on Facebook has become news.

Mr. Kaiser also told The Guardian that Tumblr consistently “puts the safety of their users second to their revenue.”

Update (12:59): Naked Security has more on the hack: Anyone who was logged into Tumblr automatically reblogged GNAA’s post upon visiting an infected page. If you weren’t logged in, you were simply redirected to the standard log-in page. You can get a more granular look at the hack here.

Update (1:20): As we mentioned earlier, Mr. Kaiser, the president of the GNAA, told The Guardian that today’s hack was designed to send a message to Tumblr about prioritizing revenue above security:

“Tumblr is a blogging website whose employees we have found, time and time again, to put the safety of their users second to their revenue. Instead of hiring competent, dedicated staff, they hire part-time programmers who can’t even defend against the most basic of security issues, such as XSS. I mean, for chrissake, they don’t even throttle (or the threshold is ridiculously high) the number of posts per minute a user is allowed to make! Blogging services everywhere need to step up and hire people who know what they’re doing.”

Considering that Tumblr employs at least 47 engineers (according to current employees on LinkedIn) and is trying to hire at least 8 more, we asked Mr. Kaiser to elaborate on GNAA’s stated motivations for the hack. “If 47 engineers can’t prevent simple security issues, then I have serious concerns about who they’re hiring,” Mr. Kaiser responded by email. (We have reached out to Tumblr to get a total engineer count and will update the post when we hear back.)

Update (1:30): “Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs earlier today,” Tumblr spokeswoman Katherine Barna told Betabeat in an email. “Thank you for your patience.”

Update (2:47): Information about what exactly went wrong for Tumblr continues to trickle out. Slate’s Future Tense talked to GNAA’s interim VP, who pointed to problems in mobile posting:

@Ms_meepsheep says it exploits vulnerabilities in “multiple fields, including all mobile post fields.” He or she continued, “Lazy developers, far too incompetent to sanitize input, are the ones to blame. As long as web developers do not care about their users, hackers (or script kiddies depending on point if view) will be there to exploit their errors.”

Of course, as with everything else from GNAA, this is worth taking with a grain of salt.

Nitasha Tiku contributed reporting to this article.