A nasty worm that defaced thousands of Tumblr account sites with an offensive post riddled with obscenities spread like wildfire this morning. Security experts say the attackers exploited a weakness in Tumblr’s reblogging function. The attackers tucked encoded JavaScript inside a hidden iFrame that lifted content from a malicious URL. The worm only worked on users who were logged in, and the attackers defaced rather than doxed or performed other more nefarious acts, experts say. Tumblr cleaned up the posts and patched the hole by 1:30 p.m. EST today.”]
Source: https://www.darkreading.com/attacks-breaches/worm-trips-up-tumblr