steven36 Posted October 18, 2018 Share Posted October 18, 2018 Staff penned an open letter in an effort to be transparent A security bug that hit Tumblr’s recommended blogs module may have exposed users’ private information, according to an open letter. Information like email addresses, passwords, IP addresses, and self-reported locations may have become exposed due to the bug if individual accounts were hit. It’s unclear if the bug affected individual accounts, according to the open letter, but an investigation concluded that the bug “was rarely present.” “We’ve also thoroughly investigated any way in which our community could have been affected,” the letter reads. “We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed.” The bug was brought to Tumblr’s attention through a bug bounty program run by Oath, Tumblr’s parent company. A security researcher discovered that if a blog appeared in the recommended section of a user’s dashboard, “it was possible, using debugging software in a certain way, to view certain account information associated with the blog.” Tumblr’s desire to be transparent with users about security bugs and potentially compromised information comes at a time when other social media platforms are being hit with criticism. Facebook has encountered several major security flaws this year, leading to widespread concern among users as millions of accounts were affected. “It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love,” Tumblr’s open letter reads. “We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do.” Source Link to comment Share on other sites More sharing options...
steven36 Posted October 18, 2018 Author Share Posted October 18, 2018 Tumblr turns stumblr, left humblr: Blogging biz blogs bloggers' private info to world+dog 'No evidence' vulnerability was abused, though, we're told Tumblr today reveal it has fixed a security bug in its website that quietly revealed private details of some of its bloggers. This is quite an interesting bug. The desktop version of Tumblr shows a list of recommended blogs for logged-in users to check out. According to Tumblr, "it was possible, using debugging software in a certain way, to view certain account information" associated with the blogs shown in the box of recommendations. By debugging software, Tumblr may be referring to your web browser's developer console, or page source inspection feature. We've asked for a clarification on that. So what kind of information was disclosed for each recommended blog? We're told... ...this included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account. So, basically details a Tumblr blogger may not want to be disclosed to the public. "We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present," Tumblr staff added. It's a curious admission because Tumblr staff believe no one abused the security hole, it was reported privately via its bug bounty, and it was fixed within 12 hours. It's good that Tumblr is being transparent, however, is this going to be the norm? Can you imagine the information overload if every Fortune 1000 company publicly disclosed every security bug discovered by a penetration test, bug bounty, or an internal audit? Perhaps that's good and proper, and what people want: honesty and transparency. However, there is a fear this practice will discourage organizations from looking in the first place, in order to avoid any negative headlines when they publicize their bug discoveries. In any case, after Google copped a shedload of flak this month for not 'fessing up to a security flaw it quietly fixed in its doomed social network, Tumblr is striving to be as open as possible, at least before it leaks to reporters. "It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love," sighed the Tumblr staffers. "We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do." Don't forget, Google's Project Zero routinely discloses security flaws in other companies' products, yet Google stayed silent on its own programming blunder, so perhaps it should have disclosed on the grounds of fairness. But this is the world of technology, and playing fair usually gets you absolutely nowhere. Source Link to comment Share on other sites More sharing options...
Ha91 Posted October 20, 2018 Share Posted October 20, 2018 Why are all of a sudden so many similar basic exploits coming out now? I feel these doors had been left open for advertisement and government agencies. So many companies can not be so much lazy about security. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.