Bug in Tumblr possibly revealed personal users' data

Tumblr users have been offered a patch to save their private information

Tumblr releases a serious security updateA serious bug found in Tumblr's iOS app could have revealed users' personal information.

Tumblr staff has recently revealed in their report[1] that they discovered a security vulnerability in iOS app that sent users' passwords over a plain text, not over SSL. While the company's statement declares that there is no evidence that users' personal information has been misused, the patch was named as a “very important security update.”[2] The information in concern includes email addresses, previously used emails, passwords, IP addresses and the name of a blog associated with the user's account.

The malicious bug was discovered by a security researcher who initiated an audit for iOS applications for his employer who was willing to determine which apps are safe for the use of his company. According to his report, the flaw was found in the code of the Desktop version of “Recommended Blogs.” Only logged-in users have the ability to see this option to see the list of blogs they can follow.

The same was declared by the company itself:

If a blog appeared in the module, it was possible, using debugging software in a certain way, to view certain account information associated with the blog.

There is no specific number of affected users

As the company revealed, they don't know much about this vulnerability and how many accounts have been affected if their blog appeared on the recommended list. Tumblr cannot determine which specific accounts have been exposed and the analysis shows that the flaw was “rarely present.”

As they say, a vulnerability was patched[3] about 12 hours after the report. The company also declares that they want to be transparent with users and this is the biggest reason they decided to disclose this information with the Tumblr community.

A report on security bugs reads the following:

It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do.

Tumblr learns from others' mistakes

It is not the first time Tumblr, which was acquired by Yahoo in 2013, having issues with data breaches. A few years ago, the hackers managed to steal information from around 65 million users and sold it online.[4] This time the representatives of the microblogging site didn't even bother to warn victims that they must change their passwords into unique and complicated ones. However, leaked emails could have resulted in increase spam campaigns and similar issues

Unfortunately, we have seen numerous reports about legitimate sites having incidents with security bugs this year. Such giants as Google, Facebook, and Twitter are not an exception. These sites contained flaws that could have allowed cybercriminals to track and collect, use sensitive user data. The most recent Facebook[5] incident revealed that the security bug was exploited and attackers managed to steal data from more than 30 million users.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions