Earlier this month, short blogging and social media tool Tumblr announced the presence of a vulnerability that could have exposed certain protected information to hackers under specific circumstances.
The news came at a bad time for social media platforms. Just a week prior, Facebook announced an industry-shaking data breach, around the same time that Google announced it was shutting down its Google+ service due also to a huge data breach.
Within the context of those other stories, its important to fully understand the vulnerability and what it means if you use the service.
Problem with Recommended Blogs
According to Tumblr, an unnamed security researcher found a flaw in the “Recommended Blogs” feature on Tumblr, which displays a select, rotating list of other users’ blogs to the reader. When using the desktop version of the site, the researcher found that an attacker could expose blog owners’ information using debugging software in a certain way.
The vulnerable information wasn’t as critical as it could have been. Potentially exposed information included users’ email addresses, salted and hashed account passwords, self-reported location, prior email addresses, last login IP addresses, and blog names associated with the compromised account.
It’s interesting to note that the self-reported location is no longer an available feature.
More Vulnerability Than Breach
So, how bad is the news, really? In light of the breaches at Facebook and Google—we can count Twitter’s API flaw from September in the mix—Tumblr got extremely lucky. Its report was forthcoming about the vulnerability and its limitations.
Given how an attacker would need to see a recommended blog, and then perform a specific set of actions, it’s easy to believe Tumblr’s assertion that it can’t determine if specific accounts were affected, nor the fact that the bug was “rarely present.” That rarity, and the fact that sensitive passwords weren’t exposed in a more open manner, are encouraging facts.
While the Tumblr vulnerability might not reach the level of a data breach, it’s still important to be ready to respond if your data is compromised.
Contact Wheelhouse IT if you believe your information was compromised in any of these breaches to determine your best course of action to protect yourself from harm.