Tumblr Fixes Flaw that Made Accounts Vulnerable

Tumblr Fixes Flaw that Made Accounts Vulnerable

The information made vulnerable by the flaw would have let hackers obtain information they could use for phishing scams, harassment and other campaigns.

The blogging site Tumblr has disclosed a security flaw that could have exposed sensitive account information. The flaw has been fixed, and Tumblr said there was no evidence that the vulnerability had been exploited by bad users.

A security researcher discovered a security vulnerability in the part of the site that shows recommends blogs to logged-in users. If a blog showed up in the “recommended blogs” module, a debugging tool could be used to obtain their current and past email addresses, their scrambled password, their self-reported location and the IP address from their most recent sign-in.

The security researcher reported the bug to Tumblr, who fixed it within a day and awarded the reporter an unknown amount from the site’s bug bounty program.

The information made vulnerable by the flaw would have let hackers obtain information they could use for phishing scams, harassment and other campaigns.

In a blog post, Tumblr said that there is “no evidence” that anyone exploited the security vulnerability, and “nothing to suggest” that anyone accessed unprotected account information. The site wanted to “be transparent” about the incident regardless.  

About the Author

Jessica Davis is the Associate Content Editor for 1105 Media.

Featured

New Products

  • Cover image for IDP ProCare

    IDP ProCare™ Premium Support Program

    Minimize downtime and secure uninterrupted credential production with priority technical support, overnight advanced unit replacements, and proactive system health reviews.

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis.

  • NAPCO product image

    StarLink Fire Max2 Dual Cell/IP Communicator

    Streamline commercial fire compliance with dual-carrier cellular connectivity, a dedicated FACP data path, and dual-layer electronic inspection verification.