Ben Dolman

June 10, 2014 11:28 pm

Did Someone Insert Phishing Code into @Tumblr?

Recently we’ve been working on Tumblr integration. During this process I noticed some strange network behavior when typing into the Tumblr login screen. I fired up Charles, one of my favorite web debugging tools, to see what was going on. After typing a character into the login text box, I saw an HTTP request to tm.txmblr.com whose response contained HTML like this:

<span class=”mozcloak”><input type=”password” /></span>
<a tabindex=”20">Forgot password?</a>
<label for=”account” class=”formlabel”> </label>
<form autocomplete=”off” name=”signon” id=”frmSignon” action=”https://online.wellsfargo.com/signon" method=”post”>
</form>
<table><tr><td>
 <select tabindex=”5"><option value=”foo”>Foo</option></select></td></TR>
</table>
<form action=”foo”>
<input name=”PASSWORD” maxlength=”12" size=”17" style=”width: 119px”/>
</form>
<form action=””
 enctype=”mimetype” target=”_self” title=””
></form>
<script type=”text/javascript”> function MM_reloadPage() { return false; }
 MM_reloadPage(true);
</script>
<table class=”underLinedDateLine”>
<tr><td>foo</td></tr></table>
<form NAME=”frmStatement” METHOD=”POST” ACTION=”Statement.asp”>
</form>
<p 
class=”AccountTableHeader”>
</p>
<div>
 Welcome to online banking…</div>
<div><p>foo</p><script type=”text/javascript”>var tc = Object();
tc.server_hostname = “Touchclarity.rbs.co.uk”;</script></div>
<table><tr>
 <td><input name=”passwd” type=”password” value=”” size=”20" style=”width: 100%;”></td></tr>
 <tr><td><input name=”passwd” type=”password” value=”” size=”20" style=”width: 100%;”></td>
</tr><tr><td></td></tr>
</table>
<table><tr><td><span 
class=”H1highlight”>Internet Banking</span></td>
</tr><tr><td><input type=”text”
name=”accountNumber” id=”accountnumber” value=’’ size=”9" maxlength=”8"/></td>
</tr><tr><td><input type=”text”
name=”lastschool” id=”lastschool” value=’’ size=”18" maxlength=”30"/></td>
</tr><tr><td><input type=”text”
name=”visaCardNumber” id=”visanumber” value=’’ size=”18" maxlength=”16"/></td>
</tr></table>

Why in the world would Tumblr be serving up a page that contains password form code from Wells Fargo or a field labeled “visaCardNumber”?

I had one of my coworkers try it to ensure that it wasn’t due to malware on my machine. He got the same result.

The full HTTP session trace is available for examination: https://gist.github.com/bdolman/d682745394b67161d5ea

Here’s how to reproduce it:

  1. Download a web proxy app like Charles
  2. Configure Charles for SSL proxying
  3. Load the Tumblr login page
  4. Type a character into the Email field.
  5. Look at the traffic recorded in Charles. In particular, look for a request to https://tm.txmblr.com/fp/HP?cid…

The URL I mention above is actually over 3,500 characters long with portions of it referencing sites such as Facebook, Wells Fargo, Capital One, HSBC and Amazon.

I sent this information to the Tumblr security team on May 28, 2014 but I have not received any response in the intervening two weeks.

I want to make clear that I have no idea if anything harmful is actually taking place. Maybe there’s a legitimate explanation for this. But I find the very existence of this content suspicious. Since Tumblr has not responded, I’m posting this publicly in the hope that brighter minds can figure out what’s going on.

UPDATE (6/24/2014) I finally heard back from Tumblr. They said that this is normal and expected. The content above is part of a finger-printable payload that lets them detect and prevent attacks. We can all go back to using Tumblr now :)