A security researcher has posted evidence of a serious cross-site scripting vulnerability on Tumblr, the popular micro-blogging site used by millions.
Technical details on the flaw, described as a stored (persistent) XSS issue, is being withheld by Riyaz Walikar, the researcher who found the issue.
Walikar said he disclosed the issue to Tumblr on June 25, 2012 but the vulnerability still exists, putting millions of web surfers at risk of malicious hacker attacks.
"XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer. Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page," Walikar warned in a blog post that discusses the flaws.
The blog post contains two screenshots to demonstrate the XSS flaws.