Jump to content

Tumblr’s ‘recommended blogs’ feature exposed user data


steven36

Recommended Posts

Staff penned an open letter in an effort to be transparent

 

https://s7d4.turboimg.net/sp/d2cbd0ddda63351c476430fb5c389dc4/wordmark-black.png

A security bug that hit Tumblr’s recommended blogs module may have exposed users’ private information, according to an open letter. Information like email addresses, passwords, IP addresses, and self-reported locations may have become exposed due to the bug if individual accounts were hit.

 

It’s unclear if the bug affected individual accounts, according to the open letter, but an investigation concluded that the bug “was rarely present.”

 

“We’ve also thoroughly investigated any way in which our community could have been affected,” the letter reads. “We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed.”

 

The bug was brought to Tumblr’s attention through a bug bounty program run by Oath, Tumblr’s parent company. A security researcher discovered that if a blog appeared in the recommended section of a user’s dashboard, “it was possible, using debugging software in a certain way, to view certain account information associated with the blog.”

 

Tumblr’s desire to be transparent with users about security bugs and potentially compromised information comes at a time when other social media platforms are being hit with criticism. Facebook has encountered several major security flaws this year, leading to widespread concern among users as millions of accounts were affected.

 

“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love,” Tumblr’s open letter reads. “We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do.”

 

Source

Link to comment
Share on other sites


  • Replies 2
  • Views 645
  • Created
  • Last Reply

 

Tumblr turns stumblr, left humblr: Blogging biz blogs bloggers' private info to world+dog

 

https://s7d2.turboimg.net/sp/bbe0c01bb0a07061ce198b544b83f9f7/shutterstock_leaker.jpg

 

'No evidence' vulnerability was abused, though, we're told

 

Tumblr today reveal it has fixed a security bug in its website that quietly revealed private details of some of its bloggers.

 

This is quite an interesting bug. The desktop version of Tumblr shows a list of recommended blogs for logged-in users to check out. According to Tumblr, "it was possible, using debugging software in a certain way, to view certain account information" associated with the blogs shown in the box of recommendations.

 

By debugging software, Tumblr may be referring to your web browser's developer console, or page source inspection feature. We've asked for a clarification on that.

So what kind of information was disclosed for each recommended blog? We're told...

 

...this included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account.

 

So, basically details a Tumblr blogger may not want to be disclosed to the public. "We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present," Tumblr staff added.

 

It's a curious admission because Tumblr staff believe no one abused the security hole, it was reported privately via its bug bounty, and it was fixed within 12 hours.

 

It's good that Tumblr is being transparent, however, is this going to be the norm? Can you imagine the information overload if every Fortune 1000 company publicly disclosed every security bug discovered by a penetration test, bug bounty, or an internal audit? Perhaps that's good and proper, and what people want: honesty and transparency. However, there is a fear this practice will discourage organizations from looking in the first place, in order to avoid any negative headlines when they publicize their bug discoveries.

 

In any case, after Google copped a shedload of flak this month for not 'fessing up to a security flaw it quietly fixed in its doomed social network, Tumblr is striving to be as open as possible, at least before it leaks to reporters.

 

"It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love," sighed the Tumblr staffers. "We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do."

 

Don't forget, Google's Project Zero routinely discloses security flaws in other companies' products, yet Google stayed silent on its own programming blunder, so perhaps it should have disclosed on the grounds of fairness. But this is the world of technology, and playing fair usually gets you absolutely nowhere.

 

Source

 

Link to comment
Share on other sites


Why are all of a sudden so many similar basic exploits coming out now?
I feel these doors had been left open for advertisement and government agencies.

So many companies can not be so much lazy about security.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...