Softpedia – (International) Stored XSS that allowed hackers to hijack Tumblr blogs still unfixed. The stored cross-site scripting (XSS) vulnerability that allowed hackers to hijack Tumblr blogs remains unfixed, according to a security researcher. He explains that this vulnerability could be utilized for numerous cybercriminal operations. The stored XSS could be used for phishing, malware attacks, and even to spam users. The researcher also reveals some interesting facts about this particular stored XSS security hole. For instance, victims of attacks that exploit this vulnerability do not have to be logged in to Tumblr. Also, the bug could be used to spread a malicious payload because when an entry is reblogged, the payload is also included in the new post. Furthermore, arbitrary JavaScript can be executed in the victim’s browser from a remote location.
