Tumblr bug bounty program detects flaw, no user info lost


The social media site Tumblr disclosed was able to head off a potential cybersecurity issue when its bug bounty program revealed a vulnerability that could have exposed user PII.

Tumblr credited its bug bounty program for finding the vulnerability.

The flaw was in Tumblr’s “Recommended Blogs” feature for logged in desktop and mobile users.

“If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog,” Tumblr reported in a statement on the incident.

Tumblr does not believe the vulnerability was exploited nor any user information accessed, but if this had been done an unauthorized person could have obtained email addresses, hashed and salted passwords, locations, previously used email addresses, last login IP address and the name of the blog associated with the account.

The company said the flaw was fixed within 12 hours of being reported and enhanced monitoring has been installed to detect and prevent similar problems from happening again.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.