A security vulnerability in social media network Tumblr could have enabled malicious actors to steal users’ account details including login credentials and other private information. A security update published yesterday by the company admitted the flaw and announced the patch.
The affected information in Tumblr users’ accounts included current and previous email addresses, passwords, self-reported location, IP addresses and names of the blog.
According to the report, the critical vulnerability was discovered by a security researcher in the desktop version of the company’s website. The flaw was reported to the company via its Bug Bounty Program. The program invites security researchers across the world to test the security of the company’s systems.
The security patch was released within 12 hours after the bug was reported to Tumblr.
The vulnerability resided in the Recommended Blogs feature
The Recommended Blogs feature was showing rotating list of suggested blogs that users might be interested in. Recommended Blogs was only available for registered and logged-in website visitors. The company was not able to confirm specific accounts that could have been affected by the flaw.
If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog.
In other words, only those users who’s blogs were displayed to potential attackers could have been affected.
Other technical information about the bug has not been revealed by the company. In addition, the security researcher’s name, who detected the flaw has also not been disclosed to the public.
The company notes that it did not find any evidence that the vulnerability could have been exploited.
It's our mission to provide a safe space for people to express themselves freely and form communities around things they love,” Tumblr says. “We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it's simply the right thing to do.
Other social media networks also suffering from security issues
Tumblr has revealed information about the flaw just less than a week after the infamous Facebook security breach which could have affected 30 million of its’ users’ accounts.
Earlier this month, Google announced security and privacy updates, that include the shut down of social media network Google+. Google+ experienced a data breach which could have exposed thousands of social media users’ accounts information to third-party developers.
Finally, in September, Twitter announced a security breach which impacted about 3 million users.