The Latest in IT Security

Tumblr Application Spams Users with ProfileStalkr Posts


Are you aware that Tumblr supports applications? Tumblr users can select an app that takes their fancy and give it “Read and write” or just “read” access. Giving an app “Read and write” means that the app can create and edit posts on your Tumblr.

There’s an application currently spamming itself across Tumblr accounts, using the tried and tested bait of “profile stalking”. Unlike other profile stalker scams we’ve seen where the so-called “app” is really just a cookie-cutter website with a survey, this one is a cookie-cutter website with a survey and an installable application.

Here’s the app installed on a Tumblr account:

How did it get there?

It begins with a typically spammy post to an otherwise normal Tumblr:

Click to Enlarge

The text reads:

Have you ever wondered who was viewing your Profile? ProfileStalkr, is the first and best application to use that allows you to see who views your Tumblr the most. YOU HAVE TO TRY THIS OUT, IT’S SO COOL!!!

Go here to try it out [URL Removed]

Clicking the link takes users to the following site:

Click to Enlarge

“Ready to see your Stalkrs for free? To find your Stalkrs you must login”

Eventually, the end-user is required to login to the Tumblr website (if they haven’t already) so they can begin the authorisation process.

Click to Enlarge

“Grant this application read and write access to your Tumblr account”

Uh-oh. Clicking “Allow” means that the application posts to your Tumblr page, which will now look like this:

Click to Enlarge

After that, visiting the Profilestalkr website will tease Tumblr users with an “Unlock stalker names” button overlaid with a survey popup:

Click to Enlarge

Hooking a rogue application into a Tumblr account is a very inventive method of sticking around when the blog owner doesn’t want you there anymore. Older, more straightforward scams (say, a phish that resulted in spamposts via compromised credentials) were typically dead and buried the moment a Tumblr user changed their login password.

After that, the scammers started to make use of the “post by email” feature. Changed your compromised Tumblr login? Doesn’t matter, the scammer would happily keep posting away because Tumblrs come with a “secret” posting email address and simply sending a mail to it would publish a blog entry. It wouldn’t matter how many times a compromised user changed their password – unless they reset the post by email address, it would be spammed forevermore.

Now we have rogue apps spamming, which is yet another way to end up with lots of confused Tumblr users asking “how do I stop this and where are my kitten gifs?”

Here is the solution:

1) Go into your Tumblr dashboard, and click your “Account Settings” icon.

Click to Enlarge

2) Click on the “Apps” link.

Click to Elarge

3) Click “Revoke Access”.

Click to Enlarge

Click yes to the confirmation popup, and the application will be gone from your account.

If you’ve already ended up installing this particular application, you may be worried that you’ve also potentially fallen for some other dubious Tumblr scam. If this is the case, it won’t hurt to go change your login password and reset your email posting address too and start over with a clean bill of health.

Tumblr scams have been around for a long time and continue to be a thorn in the side for Tumblr users. Seeing applications become part of the battle is an interesting twist and it’s likely that this will be a new and exciting way to keep you from angry fandom posts and rageface memes for the foreseeable future.

Just don’t mess with the cat gifs…

Christopher Boyd

Leave a reply


SUNDAY, JULY 22, 2018



Latest Comments

Social Networks