Skip to main content

Tumblr promises it fixed a bug that left user data exposed

Tumblr says it has sorted out a bug on its site that could potentially have revealed user data.

The New York-based company said on Wednesday, October 17 that it had “some important information” that it wanted to share, before going on to explain about the security flaw.

Recommended Videos

First, it wanted to make clear that it so far had no concrete evidence that any data had been stolen. At the same time, the company promised that the issue had been resolved and no action — such as changing account passwords — was required on behalf of users.

Please enable Javascript to view this content

So, what happened? According to the blogging platform, a security researcher reported the problem several weeks ago via Tumblr’s bug bounty program. Engineers fixed the issue within half a day, and since then the company has taken steps to improve monitoring and analysis procedures to help it identify and fix any similar bugs in the future.

The flaw in question was linked to the “recommended blogs” feature on the desktop version of Tumblr. Recommended blogs are powered by an algorithm that displays a short, rotating list of blogs by other Tumblr users that may be of interest, and only appears for people logged onto the Tumblr site.

According to Tumblr, if a user’s blog appeared in this module, it was possible, by “using debugging software in a certain way,” to view some of that user’s account information.

“We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed,” the company said.

It added that it couldn’t be sure which specific accounts were affected by the security flaw, but said that through its own analysis, “the bug was rarely present.”

At the worst, it’s possible that certain user account information could have been viewed, including email addresses, encrypted Tumblr account passwords, self-reported location (a feature that’s no longer available), previously used email addresses, the last login IP address, and the name of the blog linked to the account.

The company said it wanted to be transparent with its community about the security flaw, even though it’s confident that no user data was stolen while the bug was live. It’s early days, however, so no doubt Tumblr will be monitoring the situation closely to ensure that its assumptions are correct.

Not the first, won’t be the last …

Tumblr certainly isn’t the first social media service to get entangled in an issue linked to online security. Only recently, Facebook revealed a security vulnerability that gave hackers the chance to take control of as many as 30 million accounts, while Twitter said in September it’d squashed a security bug that leaked direct messages between users. And then there’s Google+, which said last week that a flaw had given hackers access to personal information linked to up to half a million accounts. The web giant said that following the hack, and because of lack of interest among users in the platform, it plans to completely shut down Google+ by August 2019.

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
WhatsApp fixes bug that could have allowed hackers to read your desktop files
Whatsapp-encryption-header 2

WhatsApp patched a security loophole in its desktop apps last month that could have potentially allowed hackers to access your computer’s local files. Discovered by a cybersecurity researcher at PerimeterX, the vulnerability affected the messaging service’s Windows and Mac clients when they were paired with an iPhone.

The flaw was found inside WhatsApp’s Content Security Policy, an extra security layer companies often employ to prevent a certain set of attacks and made possible for malicious actors to manipulate messages and links through a method called Cross-Site Scripting.

Read more
Apple Safari flaw left users’ browsing activity open to being tracked
How to allow pop-ups on a Mac

In a seemingly rare case of huge tech firms looking out for one another, Google has revealed that it recently informed Apple of a serious security flaw that it discovered with its Safari browser. The vulnerability could have given hackers access to a user’s online behavior, with persistent tracking of a user’s web searches also possible, Google said.

In a technical paper posted online this week, Google researchers described how they found five different kinds of potential attacks linked to the vulnerability that would have enabled third parties to gather “sensitive private information about the user’s browsing habits.”

Read more
I paid Meta to ‘verify’ me — here’s what actually happened
An Instagram profile on an iPhone.

In the fall of 2023 I decided to do a little experiment in the height of the “blue check” hysteria. Twitter had shifted from verifying accounts based (more or less) on merit or importance and instead would let users pay for a blue checkmark. That obviously went (and still goes) badly. Meanwhile, Meta opened its own verification service earlier in the year, called Meta Verified.

Mostly aimed at “creators,” Meta Verified costs $15 a month and helps you “establish your account authenticity and help[s] your community know it’s the real us with a verified badge." It also gives you “proactive account protection” to help fight impersonation by (in part) requiring you to use two-factor authentication. You’ll also get direct account support “from a real person,” and exclusive features like stickers and stars.

Read more