Vulnerability in Tumblr could have compromise users’ account data

Information of some accounts may have been compromised

Tumblr has just published a security advice admitting the presence of a security vulnerability on its website that could have allowed hackers to steal login credentials and other private information from user accounts.

According to experts in digital forensics the affected information includes users’ email addresses, protected account passwords, self reported location (a function that is no longer available), previously used email addresses, IP addresses associated with the last login and blog names associated with each account.

According to the company, a cybersecurity and digital forensics investigator discovered a critical vulnerability in the desktop version of its website and informed the Tumblr security team immediately through its vulnerability bounty program.

Although the company has not revealed the investigator’s name, or any technical details about the vulnerability, Tumblr revealed that the flaw was residing in the “Recommended blogs” feature of its desktop website. This feature is designed to display a short and updatable list of other users’ blogs that may be for the user’s interest. The function appears only for users registered on Tumblr.

In a statement the company mentioned: “If a blog appeared in the “Recommended blogs” module, it was possible, using debugging software in some specific way, to get some account information associated with the recommended blog”.

In other words, your account may only be affected if your blog was recommended to a malicious user through the vulnerable function.

The company has not been able to determine specifically which accounts were recommended through the vulnerable function, so it cannot estimate the number of affected users, but it has declared that this bug was presented very infrequently.

Tumblr also claimed that its internal investigation found no evidence of any attacker exploited the flaw. “Our mission is to provide a safe space for people to express themselves freely and form communities around the things they enjoy most”, says Tumblr. “We believe that this vulnerability could have affected users’ experience. We want to be transparent with you about it. From our point of view, it’s just the right thing”.

This incident occurs less than a week after Facebook announced the most serious security breach it has ever experienced, an event that allowed hackers to steal personal information of over 30 million users worldwide.

In addition, just over a week ago, Google announced the shutdown of its social network, Google+, after a massive data breach that exposed private information of hundreds of thousands of users of Google+ to external developers.

Also, digital forensics experts from the International Institute of Cyber Security reported a similar security violation incident on Twitter, in which an API failure inadvertently exposed direct messages (DM) and protected tweets of over 3 million people to unauthorized application developers.