Tumblr finds major security bug that could have leaked people's most personal information

The site has found no evidence the bug was abused, it said

Andrew Griffin
Thursday 18 October 2018 15:01 BST
The Tumblr application is seen on a mobile phone in this illustration photo March 7, 2018
The Tumblr application is seen on a mobile phone in this illustration photo March 7, 2018 (REUTERS/Thomas White/Illustration)

Tumblr has found a major security bug in its platform that could have leaked people's most personal information, it has said.

A problem with the innocent looking "recommended blogs" screen could have given up people's email addresses, passwords, old accounts, and where they were.

The issue has now been fixed and there is no evidence that it was actually used, Tumblr said. Users don't need to do anything to keep their account secure.

The bug was discovered through Tumblr's bug bounty programme, which pays security researchers if they are able to find problems with its software. That means that experts can get money for discovering the loopholes but not use them to steal people's information.

It was fixed within 12 hours of it being reported and Tumblr has taken extra steps to make sure that it is able to see and spot any similar bugs in the future.

The recommended blogs feature usually does exactly what it says: showing other blogs that a person might be interested in, if they're logged into their account.

But the bug meant that when a blog appeared in that module it could be hacked to find out information about the person who runs it.

Tumblr said it wouldn't be able to find out what specific accounts had been affected by the bug, but that it was "rarely present".

"It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love," the company wrote in a blog post. "We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in