Tumblr Fixes 'Recommended Blogs' Bug That Exposed Account Information
Tumblr suffered a security vulnerability recently and the blogging site has disclosed all relevant information related to the issue. Tumblr also said that it has already fixed the bug which may have exposed users’ account information.
“A few weeks ago, we received a report of a bug involving user account information from a security researcher participating in our bug bounty program, which invites some of the best researchers in the world to test the security of our systems,” the company said on its blog. “The bug was resolved by our engineering team within 12 hours of being reported to us, and we’ve taken steps to enhance product monitoring and analysis that will help prevent and detect this type of bug in the future.”
The bug that exposed users’ account information was found in the “Recommended Blogs” feature on the desktop website. This feature displays a carousel of recommended blogs to logged-in users. The company explained that when a blog appeared on the Recommended Blogs section, it was possible for attackers to view the account information of the user that’s associated with that blog.
Tumblr didn’t provide any additional information on how the bug exactly works and the company said that it was unable to determine which specific accounts were affected. Those who were affected by the bug may have had their account information exposed, including their email addresses, hashed (protected) passwords, self-reported location, previously used email addresses, last logged-in IP address and the name of the blog associated with the account.
“We’ve also thoroughly investigated any way in which our community could have been affected. We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed,” Tumblr said.
Although this may sound like good news, TechCrunch pointed out that it’s nearly impossible for companies to determine with certainty that the bug wasn’t exploited. It’s only until the data is published or shared somewhere else that it can be confirmed that the bug was exploited by a malicious third party. Tumblr said that users aren’t required to take any action, but it’s wise to change passwords at this point.
“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do,” Tumblr said.
© Copyright IBTimes 2024. All rights reserved.