Latest in Gear

Image credit: S3studio via Getty Images

Tumblr fixes security flaw that exposed account info

The recommended blogs feature showed more than it should.
165 Shares
Share
Tweet
Share
Save

Sponsored Links

S3studio via Getty Images

Tumblr just fixed a flaw that could have revealed much more than bloggers were comfortable with sharing. A security researcher talking to the social site (which is owned by Engadget's parent brand Oath, and thus Verizon) discovered a security hole in the "recommended blogs" module that let you obtain sensitive account information. If a blog showed up in the module, you could use a debugging tool to obtain someone's current and past email addresses, their obscured password, their name and the IP address from their last sign-in. You could also see their self-reported location, although that hasn't been an option for a while.

There's "no evidence" that anyone exploited the bug, and "nothing to suggest" someone accessed unprotected info, Tumblr said. This doesn't completely rule out an intrusion, but there's no immediate sign of trouble.

This isn't as large an incident as the recent Facebook hack or Twitter's direct message bug, but it's still serious. Tumblr's code would have let attackers obtain info they could use for phishing scams, harassment and other campaigns. The transparency helps, but it also reinforces notions that data security is an ongoing problem at internet giants.

Verizon owns Engadget's parent company, Verizon Media. Rest assured, Verizon has no control over our coverage. Engadget remains editorially independent.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
165 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's Guide to Privacy

Engadget's Guide to Privacy

View
Neo Geo retro stick console includes 'King of Fighters,' 'Samurai Shodown'

Neo Geo retro stick console includes 'King of Fighters,' 'Samurai Shodown'

View
Watch the 'Android' Nokia phone that never had a chance to exist

Watch the 'Android' Nokia phone that never had a chance to exist

View
TiVo tries running pre-roll ads before your recorded shows

TiVo tries running pre-roll ads before your recorded shows

View
YouTube CEO apologizes for channel verification mess (updated)

YouTube CEO apologizes for channel verification mess (updated)

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr