This article is more than 1 year old

Tumblr turns stumblr, left humblr: Blogging biz blogs bloggers' private info to world+dog

'No evidence' vulnerability was abused, though, we're told

Tumblr today reveal it has fixed a security bug in its website that quietly revealed private details of some of its bloggers.

This is quite an interesting bug. The desktop version of Tumblr shows a list of recommended blogs for logged-in users to check out. According to Tumblr, "it was possible, using debugging software in a certain way, to view certain account information" associated with the blogs shown in the box of recommendations.

By debugging software, Tumblr may be referring to your web browser's developer console, or page source inspection feature. We've asked for a clarification on that.

So what kind of information was disclosed for each recommended blog? We're told...

...this included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account.

So, basically details a Tumblr blogger may not want to be disclosed to the public. "We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present," Tumblr staff added.

It's a curious admission because Tumblr staff believe no one abused the security hole, it was reported privately via its bug bounty, and it was fixed within 12 hours.

It's good that Tumblr is being transparent, however, is this going to be the norm? Can you imagine the information overload if every Fortune 1000 company publicly disclosed every security bug discovered by a penetration test, bug bounty, or an internal audit? Perhaps that's good and proper, and what people want: honesty and transparency. However, there is a fear this practice will discourage organizations from looking in the first place, in order to avoid any negative headlines when they publicize their bug discoveries.

Uber CISO John Flynn

PSA: If your security starts and ends with bug bounties, you're gonna have a bad time


In any case, after Google copped a shedload of flak this month for not 'fessing up to a security flaw it quietly fixed in its doomed social network, Tumblr is striving to be as open as possible, at least before details of its bug leaks to reporters.

"It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love," sighed the Tumblr staffers. "We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do."

Don't forget, Google's Project Zero routinely discloses security flaws in other companies' products, yet Google stayed silent on its own programming blunder, so perhaps it should have disclosed on the grounds of fairness. But this is the world of technology, and playing fair usually gets you absolutely nowhere. ®

More about


Send us news

Other stories you might like