Tumblr Fixes Flaw that Made Accounts Vulnerable
The information made vulnerable by the flaw would have let hackers obtain information they could use for phishing scams, harassment and other campaigns.
- By Jessica Davis
- Oct 19, 2018
The blogging site Tumblr has disclosed a security flaw that could have exposed sensitive account information. The flaw has been fixed, and Tumblr said there was no evidence that the vulnerability had been exploited by bad users.
A security researcher discovered a security vulnerability in the part of the site that shows recommends blogs to logged-in users. If a blog showed up in the “recommended blogs” module, a debugging tool could be used to obtain their current and past email addresses, their scrambled password, their self-reported location and the IP address from their most recent sign-in.
The security researcher reported the bug to Tumblr, who fixed it within a day and awarded the reporter an unknown amount from the site’s bug bounty program.
The information made vulnerable by the flaw would have let hackers obtain information they could use for phishing scams, harassment and other campaigns.
In a blog post, Tumblr said that there is “no evidence” that anyone exploited the security vulnerability, and “nothing to suggest” that anyone accessed unprotected account information. The site wanted to “be transparent” about the incident regardless.
About the Author
Jessica Davis is the Associate Content Editor for 1105 Media.