"It appears that the worm took advantage of Tumblr's reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages," explained Sophos' Graham Cluley.
Those who weren't logged in would be redirected to the standard login page. Once logged in, the offending post would the continued to do its thing and reblog the post on their Tumblr.
In the meantime, Tumblr has disabled posting for a couple of hours and proceeded to clear the affected accounts. According to a Twitter post by the company, the issue has been resolved.
Security researcher Janne Ahlberg saw the tweet but decided to check for himself whether the root-cause - the XSS vulnerability - was resolved as well, since Tumblr is not exactly famous for fixing issued quickly.
"I created a temporary Tumblr account using different browser, submitted a public post with stored XSS payload and visited the profile from another PC & different account. The vulnerability seems to be valid," he pointed out.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.