Tumblr says it has sorted out a bug on its site that could potentially have revealed user data.
The New York-based company said on Wednesday, October 17 that it had “some important information” that it wanted to share, before going on to explain about the security flaw.
First, it wanted to make clear that it so far had no concrete evidence that any data had been stolen. At the same time, the company promised that the issue had been resolved and no action — such as changing account passwords — was required on behalf of users.
So, what happened? According to the blogging platform, a security researcher reported the problem several weeks ago via Tumblr’s bug bounty program. Engineers fixed the issue within half a day, and since then the company has taken steps to improve monitoring and analysis procedures to help it identify and fix any similar bugs in the future.
The flaw in question was linked to the “recommended blogs” feature on the desktop version of Tumblr. Recommended blogs are powered by an algorithm that displays a short, rotating list of blogs by other Tumblr users that may be of interest, and only appears for people logged onto the Tumblr site.
According to Tumblr, if a user’s blog appeared in this module, it was possible, by “using debugging software in a certain way,” to view some of that user’s account information.
“We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed,” the company said.
It added that it couldn’t be sure which specific accounts were affected by the security flaw, but said that through its own analysis, “the bug was rarely present.”
At the worst, it’s possible that certain user account information could have been viewed, including email addresses, encrypted Tumblr account passwords, self-reported location (a feature that’s no longer available), previously used email addresses, the last login IP address, and the name of the blog linked to the account.
The company said it wanted to be transparent with its community about the security flaw, even though it’s confident that no user data was stolen while the bug was live. It’s early days, however, so no doubt Tumblr will be monitoring the situation closely to ensure that its assumptions are correct.
Not the first, won’t be the last …
Tumblr certainly isn’t the first social media service to get entangled in an issue linked to online security. Only recently, Facebook revealed a security vulnerability that gave hackers the chance to take control of as many as 30 million accounts, while Twitter said in September it’d squashed a security bug that leaked direct messages between users. And then there’s Google+, which said last week that a flaw had given hackers access to personal information linked to up to half a million accounts. The web giant said that following the hack, and because of lack of interest among users in the platform, it plans to completely shut down Google+ by August 2019.
