Latest in Gear

Image credit:

Tumblr fixes security flaw that exposed account info

The recommended blogs feature showed more than it should.
Jon Fingas, @jonfingas
October 17, 2018
Share
Tweet
Share

Sponsored Links

S3studio via Getty Images

Tumblr just fixed a flaw that could have revealed much more than bloggers were comfortable with sharing. A security researcher talking to the social site (which is owned by Engadget's parent brand Oath, and thus Verizon) discovered a security hole in the "recommended blogs" module that let you obtain sensitive account information. If a blog showed up in the module, you could use a debugging tool to obtain someone's current and past email addresses, their obscured password, their name and the IP address from their last sign-in. You could also see their self-reported location, although that hasn't been an option for a while.

There's "no evidence" that anyone exploited the bug, and "nothing to suggest" someone accessed unprotected info, Tumblr said. This doesn't completely rule out an intrusion, but there's no immediate sign of trouble.

This isn't as large an incident as the recent Facebook hack or Twitter's direct message bug, but it's still serious. Tumblr's code would have let attackers obtain info they could use for phishing scams, harassment and other campaigns. The transparency helps, but it also reinforces notions that data security is an ongoing problem at internet giants.

Verizon owns Engadget's parent company, Verizon Media. Rest assured, Verizon has no control over our coverage. Engadget remains editorially independent.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

You’ll need more than $299 to truly enjoy next-gen gaming

You’ll need more than $299 to truly enjoy next-gen gaming

View
MasterClass is offering college students a year of courses for $1

MasterClass is offering college students a year of courses for $1

View
Confused about which console to buy? Just wait.

Confused about which console to buy? Just wait.

View
Apple's latest iOS 14.2 beta adds a built-in control for Shazam

Apple's latest iOS 14.2 beta adds a built-in control for Shazam

View
Apple iPad (2020) hands-on: A better kind of basic

Apple iPad (2020) hands-on: A better kind of basic

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr