Tumblr discloses vulnerability but says 'no evidence that this bug was abused'
Blogging platform Tumblr has revealed today that its site's desktop interface was affected by a bug that could have been abused to leak users' personal information.
Security
Following an investigation, the company said it found "no evidence of this security bug being abused."
The issue, disclosed earlier today by the Tumblr staff, was located in the code of the "Recommended Blogs" widget that shows up on the desktop version of Tumblr blogs.
The widget, as its name implies, is only visible to logged-in users, and shows a rotating list of blogs that users should follow.
Tumblr said that "it was possible, using debugging software in a certain way, to view certain account information" for blogs that were listed in the Recommended Blogs widget.
"This included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account," Tumblr said.
The company claimed that it "thoroughly investigated any way in which our community could have been affected," but found no evidence that an attacker had used this vulnerability to retrieve user data.
"We're not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present," the company added.
Tumblr said it became aware of the issue after a security researcher found the bug and reported the problem through its bug bounty program.
The company didn't reveal the researcher's name but said it patched the vulnerability 12 hours after it received the researcher's report, "a few weeks ago."
In the past month, a large number of Silicon Valley companies have reported security incidents, including the big three --Twitter, Facebook, and Google.
Tumblr's security incident is akin to the bugs reported by Google and Twitter, where legitimate site features contained vulnerabilities that could have allowed an attacker to harvest user data. The Facebook incident is similar, but in Facebook's case, the bug was actually exploited, and Facebook only found out after the attacker had collected data on at least 30 million users.
Tumblr also suffered an actual breach in 2016, when a hacker stole details for 65 million users, which he later sold online.
These are 2018's biggest hacks, leaks, and data breaches
Previous and related coverage:
- FitMetrix user data exposed via passwordless ElasticSearch server cluster
- Hackers breach web hosting provider for the second time in the past year
- Canadian restaurant chain suffers country-wide outage after malware outbreak
- Gwinnett Medical Center investigates possible data breach
- Facebook could face $1.63bn fine under GDPR over latest data breach
- State Department reveals data breach, employee information exposed
- TechRepublic: Why 31% of data breaches lead to employees getting fired
- CNET: After Facebook's hack, there's a lot of useless post-breach advice