Tumblr bug bounty program detects flaw, no user info lost

News by Doug Olenick

The social media site Tumblr disclosed was able to head off a potential cyber-security issue when its bug bounty program revealed a vulnerability that could have exposed user PII.

The social media site Tumblr disclosed was able to head off a potential cyber-security issue when its bug bounty program revealed a vulnerability that could have exposed user PII.

The flaw was in Tumblr’s "Recommended Blogs" feature for logged in desktop and mobile users.

"If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog," Tumblr reported in a statement on the incident.

Tumblr does not believe the vulnerability was exploited nor any user information accessed, but if this had been done an unauthorised person could have obtained email addresses, hashed and salted passwords, locations, previously used email addresses, last login IP address and the name of the blog associated with the account.

The company said the flaw was fixed within 12 hours of being reported and enhanced monitoring has been installed to detect and prevent similar problems from happening again.

Originally published in scmagazine.com North America.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events