Skip to main content
  1. Home
  2. Social Media
  3. Computing
  4. News

Tumblr promises it fixed a bug that left user data exposed

Add as a preferred source on Google

Tumblr says it has sorted out a bug on its site that could potentially have revealed user data.

The New York-based company said on Wednesday, October 17 that it had “some important information” that it wanted to share, before going on to explain about the security flaw.

Recommended Videos

First, it wanted to make clear that it so far had no concrete evidence that any data had been stolen. At the same time, the company promised that the issue had been resolved and no action — such as changing account passwords — was required on behalf of users.

So, what happened? According to the blogging platform, a security researcher reported the problem several weeks ago via Tumblr’s bug bounty program. Engineers fixed the issue within half a day, and since then the company has taken steps to improve monitoring and analysis procedures to help it identify and fix any similar bugs in the future.

The flaw in question was linked to the “recommended blogs” feature on the desktop version of Tumblr. Recommended blogs are powered by an algorithm that displays a short, rotating list of blogs by other Tumblr users that may be of interest, and only appears for people logged onto the Tumblr site.

According to Tumblr, if a user’s blog appeared in this module, it was possible, by “using debugging software in a certain way,” to view some of that user’s account information.

“We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed,” the company said.

It added that it couldn’t be sure which specific accounts were affected by the security flaw, but said that through its own analysis, “the bug was rarely present.”

At the worst, it’s possible that certain user account information could have been viewed, including email addresses, encrypted Tumblr account passwords, self-reported location (a feature that’s no longer available), previously used email addresses, the last login IP address, and the name of the blog linked to the account.

The company said it wanted to be transparent with its community about the security flaw, even though it’s confident that no user data was stolen while the bug was live. It’s early days, however, so no doubt Tumblr will be monitoring the situation closely to ensure that its assumptions are correct.

Not the first, won’t be the last …

Tumblr certainly isn’t the first social media service to get entangled in an issue linked to online security. Only recently, Facebook revealed a security vulnerability that gave hackers the chance to take control of as many as 30 million accounts, while Twitter said in September it’d squashed a security bug that leaked direct messages between users. And then there’s Google+, which said last week that a flaw had given hackers access to personal information linked to up to half a million accounts. The web giant said that following the hack, and because of lack of interest among users in the platform, it plans to completely shut down Google+ by August 2019.

Trevor Mogg
Contributing Editor
Not so many moons ago, Trevor moved from one tea-loving island nation that drives on the left (Britain) to another (Japan)…
X wants you to go live with its new streaming hub, and is offering $1 million to make it worth your while
Live Studio brings scheduling, audience controls, and real-time analytics to X's Creator Studio, but the platform hasn't said how it plans to split the $1 million among creators.
X Live Studio screengrab

X is making a serious push to become a destination for live video, launching a new tool called Live Studio and pledging $1 million in creator payouts to attract streamers to the platform. Nikita Bier, X's head of product, announced the tool on X with a demo showcasing how it works.

Stream controls, real-time analytics, and a $1 million payout

Read more
Reddit is ending anonymous browsing on old Reddit, and longtime users are not happy
Reddit's old interface is getting a login requirement, and its long term future looks uncertain.
Reddit

If you have been quietly browsing old.reddit.com without logging in, that option is going away. Reddit just announced it will require everyone to log in to use old.reddit.com, with the change landing sometime over the next month. A Reddit admin broke the news on the platform, calling it part of a push to tighten how automated systems get into the site.

Why is Reddit locking down the old interface?

Read more
TikTok, Instagram, Snapchat, and YouTube are failing kids with broken safety features, research finds
Over half of social media child safety features don't work as advertised.
a boy using iPhone

Social media platforms have spent years telling parents their children are safe online. New research suggests those assurances don't hold up. A report from the Cybersafety Research Center tested 86 child safety features across TikTok, Instagram, Snapchat, and YouTube. Only 35 worked as promised, and the rest were broken, buried in settings, or missing entirely.

Which social media platforms performed the worst on child safety?

Read more