Tumblr fixes security flaw that exposed account info

The recommended blogs feature showed more than it should.

Sponsored Links

S3studio via Getty Images
S3studio via Getty Images

Tumblr just fixed a flaw that could have revealed much more than bloggers were comfortable with sharing. A security researcher talking to the social site (which is owned by Engadget's parent brand Oath, and thus Verizon) discovered a security hole in the "recommended blogs" module that let you obtain sensitive account information. If a blog showed up in the module, you could use a debugging tool to obtain someone's current and past email addresses, their obscured password, their name and the IP address from their last sign-in. You could also see their self-reported location, although that hasn't been an option for a while.

There's "no evidence" that anyone exploited the bug, and "nothing to suggest" someone accessed unprotected info, Tumblr said. This doesn't completely rule out an intrusion, but there's no immediate sign of trouble.

This isn't as large an incident as the recent Facebook hack or Twitter's direct message bug, but it's still serious. Tumblr's code would have let attackers obtain info they could use for phishing scams, harassment and other campaigns. The transparency helps, but it also reinforces notions that data security is an ongoing problem at internet giants.

Engadget was owned by Verizon between June 2015 and September 2021. Engadget's parent company is now Yahoo Inc.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Popular on Engadget