Tumblr finds major security bug that could have leaked people's most personal information

The site has found no evidence the bug was abused, it said

Andrew Griffin
Thursday 18 October 2018 15:01 BST
Comments
The Tumblr application is seen on a mobile phone in this illustration photo March 7, 2018
The Tumblr application is seen on a mobile phone in this illustration photo March 7, 2018 (REUTERS/Thomas White/Illustration)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Tumblr has found a major security bug in its platform that could have leaked people's most personal information, it has said.

A problem with the innocent looking "recommended blogs" screen could have given up people's email addresses, passwords, old accounts, and where they were.

The issue has now been fixed and there is no evidence that it was actually used, Tumblr said. Users don't need to do anything to keep their account secure.

The bug was discovered through Tumblr's bug bounty programme, which pays security researchers if they are able to find problems with its software. That means that experts can get money for discovering the loopholes but not use them to steal people's information.

It was fixed within 12 hours of it being reported and Tumblr has taken extra steps to make sure that it is able to see and spot any similar bugs in the future.

The recommended blogs feature usually does exactly what it says: showing other blogs that a person might be interested in, if they're logged into their account.

But the bug meant that when a blog appeared in that module it could be hacked to find out information about the person who runs it.

Tumblr said it wouldn't be able to find out what specific accounts had been affected by the bug, but that it was "rarely present".

"It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love," the company wrote in a blog post. "We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do."

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in