Tumblr, a popular social networking and micro-blogging platform, also joins the trail of cybersecurity incidents across social media platforms. Fortunately, the problem does not seem critical here as Tumblr patched privacy bug before any malicious exploitation. The bug, however, could have exposed sensitive account information of the users upon exploit.
Tumblr Patched Privacy Bug In “Recommended Blogs” Feature
On October 17, 2018, Tumblr announced in a blog post that the service has patched a severe bug. As has been informed, the flaw could have exposed sensitive account details of the users. However, fortunately, Tumblr patched privacy bug in time to avoid any exploit.
According to the blog post, a researcher informed Tumblr about a glitch in their “Recommended Blogs” feature. The flaw allegedly affected the desktop version only. Tumblr, while explaining about this glitch, wrote,
“Recommended Blogs” module displays a short, rotating list of blogs of other users that may be of interest, and appears only for logged-in users. If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog”.
After knowing about the bug, Tumblr began investigating the matter and found that the bug existed rarely. Regarding what data the bug could have exposed, Tumblr stated,
It was possible that certain user account information could have been viewed. This included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account.
Bug Patched Swiftly
Tumblr got the information about this privacy bug from a security researcher, under their bug bounty program. After receiving the notice, their engineering team worked out to resolve the matter within 12 hours. Therefore, the flaw no more exists and Tumblr confirmed that they have inspected the incident and found no evidence of any exploitation of this bug in the wild. Although they do not state anything regarding the number of accounts affected, they assure that the “bug was rarely present”.
With this, Tumblr simply joins the trail of security incidents across different social networks. The most recent and the most prominent being the Facebook’s 30 million accounts hack, Google Plus data breach and subsequent closure, and Twitter’s API bug exposing direct messages. What’s appreciable here is that Tumblr quickly patched the bug and found no exploits. Yet, they thought it right to inform the public about the matter to maintain transparency.