Home » » Tumblr says it’s fixed a security bug, but says ‘no evidence’ any user data was exposed

Tumblr says it’s fixed a security bug, but says ‘no evidence’ any user data was exposed

No comments

Tumblr has disclosed a security vulnerability on its site that in some cases could have exposed account information.

The bug was found in the part of the site that recommends other Tumblr blogs to users, according to a blog post. The blogging site said the “recommended blogs” module — only visible to logged-in users — could have exposed some account information associated with the blog.

Tumblr didn’t disclose much about how the bug worked, but said that a blog owner’s email address, scrambled password (both hashed and salted) and their self-reported location, as well as previously used email addresses and the last login IP address.

The discovering security researcher contacted Tumblr and the bug was fixed within a day, and the bug finder was awarded an unknown amount from Tumblr’s bug bounty program. (Disclosure: Tumblr and TechCrunch are both owned by Oath, a division of Verizon.)

Tumblr said that it has so far found “no evidence” that the bug was abused and “nothing to suggest” that unprotected account information was accessed, but wanted to “be transparent” about the incident.

That’s good news on one hand, but it’s early days and that may change. It’s near-impossible for companies to confirm for absolute certain that a bug wasn’t exploited, often until data turns up somewhere. And, because often bugs exploit vulnerabilities in software that look like authorized commands, it’s difficult to differentiate between legitimate and malicious data requests.

Tumblr’s disclosure is the latest incident in a string of security blunders at high profile tech companies. Facebook recently confirmed 29 million accounts were improperly accessed, Twitter said that a year-long bug could have exposed some private direct messages, and just last week Google said it would shut down its Google+ social network after a security incident exposed a half-million accounts.

Unlike Google, which only came clean about the bug after the decision not to inform customers was revealed by the Wall Street Journal, at least Tumblr went public before it was forced to.

A Tumblr spokesperson did not return a request for comment.



from www.tech-life.in
Share:

No comments:

Post a Comment

Search This Blog

Blog Archive

Powered by Blogger.

Edo raises $12M from Breyer Capital to measure TV ad effectiveness

Edo , an ad analytics startup founded by Daniel Nadler and actor Edward Norton, announced today that it has raised $12 million in Series A f...

Blog Archive

Recent Posts

Unordered List

  • Lorem ipsum dolor sit amet, consectetuer adipiscing elit.
  • Aliquam tincidunt mauris eu risus.
  • Vestibulum auctor dapibus neque.

Sample Text

Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation test link ullamco laboris nisi ut aliquip ex ea commodo consequat.

Pages

Theme Support

Need our help to upload or customize this blogger template? Contact me with details about the theme customization you need.