Internet Culture

Tumblr security hole has researchers concerned

A cross-site scripting vulnerability means hackers could access users’ accounts or launch a worm.

Photo of Fernando Alfonso III

Fernando Alfonso III

Article Lead Image

Like the Titanic on its fateful night, Tumblr is leaking like a sieve.

Featured Video

According to two Indian researchers, the microblogging service has a security hole that leaves users’ cookies vulnerable to hackers, reported Softpedia. Cookies are small pieces of data that are sent from a website to your web browser to help remind the site of your previous activity.

These Tumblr cookies can be used to login into a Tumblr account, Aditya Gupta told Softpedia.

“Also, I could make a complete worm out of it, so when one person views my profile, he would repost my post and everyone in his list who would see it would then be doing the same,” Gupta said. “All automatically and without the user’s knowledge.”

Advertisement

Gupta and security specialist Subho Halder reportedly reached out to Tumblr to alert them of the breach, but have not heard back.

Tumblr has been a popular target for hackers and scammers over the past two months.

“In May, Tumblr was hit by spam campaigns, including one designed to gain personally identifiable information through a fake dating site,” reported ThreatPost. “Another attack posed as an outdated version of a Tumblr login page. A third scam promised to monetize users’ tumblelogs for a small fee.”

The Daily Dot has reached out to Gupta and Halder, as well as Tumblr, for comment.

Advertisement

Update: Tumblr’s Katherine Barna says Tumblr is taking steps to deal with the possible security hole. “We work hard at Tumblr to give content creators as much control over their blogs as possible, including the ability to set and read their own cookies under their subdomain,” she writes.

“The cookies that are available to all subdomains are anonymous and not used for authentication or personal identification. We take careful measures to ensure authentication credentials are available only to Tumblr. We take reported vulnerabilities very seriously and are working closely with the researchers to address any concerns their report has raised.”

Photo by stevendepolo

 
The Daily Dot