Tumblr patches data-exposing privacy bug
MANILA, Philippines – Tumblr disclosed on Wednesday, October 17 (October 18, Manila time) it had patched a bug on its site that could have exposed the information of some of its users, though they said there was no evidence pointing to the bug being exploited.
According to Tumblr's disclosure, the bug was found on the Recommended Blogs module on the desktop version of the site. If a blog appeared on the module, debugging software used a specific way could allow someone to view account information associated with the blog.
Tumblr said the bug was "rarely present" but could have allowed someone to view the following information had it been exploited:
- email address
- protected (hashed and salted) password of the Tumblr account
- self-reported location (no longer an available feature)
- previously used email addresses
- last login IP address
- the name of the blog associated with the account.
"Hashing" and "salting" a password refer to additional cryptographic processes that make it harder to crack a password.
Tumblr added it "thoroughly investigated any way in which our community could have been affected."
It found "no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed."
The vulnerability was discovered by a researcher working on Tumblr's bug bounty program, and the bug was resolved some 12 hours after initial reporting by the researcher. – Rappler.com