A quickly spreading worm on Tumblr has caused media companies The Verge, Reuters, and a large number of other account holders to publish a post laced with racist epithets and other offensive content.

The stunt, attributed to long-time Internet trolling collective GNAA, caused affected Tumblr accounts to display the post. People who viewed the post while logged into Tumblr were in turn forced to publish the offensive content, causing the attack to spread virally according to security researchers. More than 86,000 accounts were affected, according to unconfirmed claims from GNAA members. Tumblr issued a statement saying site engineers are working to combat a "viral post circulating on Tumblr." It advised anyone who has viewed the post to immediately log out of all browsers that may be logged in. Update: Later in the day the company said engineers had resolved the problem.

According to researchers at antivirus provider Sophos, the GNAA post spread by including malicious code that exploited weaknesses in Tumblr's reblogging feature. A coding tag contained in the post linked to malicious code on another website. The JavaScript exploit, which was included in an iframe tag that pointed to an outside website, used what is known as base-64 encoding. It's a technique that compresses uses printable ASCII characters to represent large chunks of binary data and has the benefit of making it harder to know exactly how a script will behave when executed.

"It shouldn't have been possible for someone to post such malicious JavaScript into a Tumblr post," Sophos Senior Technology Consultant Graham Cluley wrote. "Our assumption is that the attackers managed to skirt around Tumblr's defenses by disguising their code through Base 64 encoding and embedding it in a data URI."

It's unclear how the worm was able to spread so rapidly, but one theory that couldn't be ruled out as of the time of this writing is the possibility of an XSS hole found on Tumblr's site. Short for cross-site scripting, XSS techniques allow attackers to inject browser code of their choice into websites that are trusted by millions of users. In turn, miscreants can exploit XSS holes to perform drive-by malware installations, steal Web authentication credentials, post unauthorized content, or carry out other tasks not intended or initiated by the end user.

Assuming the Tumblr worm did exploit an XSS vulnerability in one of its Web applications, it wouldn't be the first time a social media site was hit by such an attack. In April 2009, Twitter was struck by a series of powerful, self-replicating exploits that caused accounts to flood the micro-blogging site with tens of thousands of messages simply by viewing booby-trapped user profiles. The most notorious self-replicating attack to hit social media was the Samy worm of 2005. It knocked MySpace out of commission when it added more than one million MySpace friends to a user named Samy. The author, one Samy Kamkar, was later convicted for the stunt.

According to Gizmodo, the malicious posting can be easily removed from infected accounts using the Tumblr mass editor. The site also recommends affected users change their account password, a measure that's probably not necessary, but wise considering Tumblr researchers have yet to offer a complete analysis of the attack.

Post updated to rewrite headline and correct description of base 64 encoding.