Tumblr discloses vulnerability but says 'no evidence that this bug was abused'

Bug hunter finds security flaw in Tumblr's "Recommended Blogs" widget.
Written by Catalin Cimpanu, Contributor

Blogging platform Tumblr has revealed today that its site's desktop interface was affected by a bug that could have been abused to leak users' personal information.

Following an investigation, the company said it found "no evidence of this security bug being abused."

The issue, disclosed earlier today by the Tumblr staff, was located in the code of the "Recommended Blogs" widget that shows up on the desktop version of Tumblr blogs.

The widget, as its name implies, is only visible to logged-in users, and shows a rotating list of blogs that users should follow.

Tumblr said that "it was possible, using debugging software in a certain way, to view certain account information" for blogs that were listed in the Recommended Blogs widget.

"This included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account," Tumblr said.

The company claimed that it "thoroughly investigated any way in which our community could have been affected," but found no evidence that an attacker had used this vulnerability to retrieve user data.

"We're not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present," the company added.

Tumblr said it became aware of the issue after a security researcher found the bug and reported the problem through its bug bounty program.

The company didn't reveal the researcher's name but said it patched the vulnerability 12 hours after it received the researcher's report, "a few weeks ago."

In the past month, a large number of Silicon Valley companies have reported security incidents, including the big three --Twitter, Facebook, and Google.

Tumblr's security incident is akin to the bugs reported by Google and Twitter, where legitimate site features contained vulnerabilities that could have allowed an attacker to harvest user data. The Facebook incident is similar, but in Facebook's case, the bug was actually exploited, and Facebook only found out after the attacker had collected data on at least 30 million users.

Tumblr also suffered an actual breach in 2016, when a hacker stole details for 65 million users, which he later sold online.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

Editorial standards