Tumblr Privacy Bug Could Have Exposed Sensitive Account Data

Tumblr stressed that there is no evidence the security bug was being abused or that unprotected account data was accessed.

Tumblr on Wednesday disclosed it had fixed a  vulnerability that could have exposed sensitive account information including usernames/passwords and individual IP addresses. However, the company stressed there’s no evidence that any data was exposed.

The bug existed in the “Recommended Blogs” feature on the desktop version of Tumblr, the micro-blogging and social media site said. The “Recommended Blogs” module displays a short, rotating list of blogs of other users that may be of interest, and appears only for logged-in users.

However, “if a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog,” Tumblr disclosed in a Wednesday post titled “Being Transparent About Security Bugs.”

That account information included email addresses, protected (hashed and salted) passwords of the Tumblr accounts, self-reported locations, previously used email addresses, last login IP addresses, and the name of the blog associated with the account.

Tumblr said that it was not able to determine which specific accounts were impacted. The company did not respond to further request for comment about how long the bug had existed.

The company also did not say how many accounts were impacted other than to state that “our analysis has shown that the bug was rarely present.”

The vulnerability, which was discovered by a researcher participating in Tumblr’s bug bounty program, was resolved by the company’s engineering team 12 hours after it was first reported, the company said.

Tumblr is a division of Oath (formerly AOL) which is now owned by Verizon Communication. Tumblr’s bug bounty program is run on the HackerOne platform. The scope of qualifying Tumblr bugs for the HackerOne Tumblr bug bounty program include: cross-site scripting, cross-site request forgery, authentication or authorization bypass, remote code execution and local or remote file inclusion.

Tumblr said there is no evidence the security bug was being abused or that unprotected account data was accessed.

The bug is only the latest security incident to hit a social networking site as concerns about data privacy and protection continue to grow in this space. Facebook, in September, said that hackers exploited a flaw in its platform that left the access tokens of around 30 million Facebook accounts ripe for the taking.

Meanwhile, Google recently shut down its social network Google+ after a software bug in an API for the service was discovered by Google’s internal security team this spring. The bug opened the door for outside developers to access private Google+ profile data.

Suggested articles