Tumblr has disclosed a security vulnerability on its site that in some cases could have exposed account information.
The bug was found in the part of the site that recommends other Tumblr blogs to users, according to a blog post. The blogging site said the “recommended blogs” module — only visible to logged-in users — could have exposed some account information associated with the blog.
Tumblr didn’t disclose much about how the bug worked, but said that a blog owner’s email address, scrambled password (both hashed and salted) and their self-reported location, as well as previously used email addresses and the last login IP address.
The discovering security researcher contacted Tumblr and the bug was fixed within a day, and the bug finder was awarded an unknown amount from Tumblr’s bug bounty program. (Disclosure: Tumblr and TechCrunch are both owned by Oath, a division of Verizon.)
Tumblr said that it has so far found “no evidence” that the bug was abused and “nothing to suggest” that unprotected account information was accessed, but wanted to “be transparent” about the incident.
That’s good news on one hand, but it’s early days and that may change. It’s near-impossible for companies to confirm for absolute certain that a bug wasn’t exploited, often until data turns up somewhere. And, because often bugs exploit vulnerabilities in software that look like authorized commands, it’s difficult to differentiate between legitimate and malicious data requests.
Tumblr’s disclosure is the latest incident in a string of security blunders at high profile tech companies. Facebook recently confirmed 29 million accounts were improperly accessed, Twitter said that a year-long bug could have exposed some private direct messages, and just last week Google said it would shut down its Google+ social network after a security incident exposed a half-million accounts.
Unlike Google, which only came clean about the bug after the decision not to inform customers was revealed by the Wall Street Journal, at least Tumblr went public before it was forced to.
A Tumblr spokesperson did not return a request for comment.