Tumblr finds security bug that could have exposed user information

In an open letter from the staff, Tumblr revealed they recently fixed a security bug that could have potentially put some users’ information at risk. The bug was in the “Recommended Blogs” feature of Tumblr, which suggests accounts for users to follow.

The blogging platform is just the most recent social media site to deal with security issues. Earlier in September, Facebook users’ information was collected by attackers.

Read more: Here’s twenty one pilots’ setlist for the Bandito tour

In an attempt to be transparent, the Tumblr staff posted a letter explaining the issue on their own account, staff.tumblr.com. The bug bounty program, which invites security researchers to test Tumblr’s system, found the bug.

The bug in the Recommended Blogs feature was only on the desktop version on Tumblr. When recommended blogs showed up, it was possible to use debugging software to view account information associated with that recommended blog.

Tumblr solved the issue 12 hours after it was initially reported. Staff investigated how the community could have been affected but found no evidence that the bug was actually abused. So no users’ account information was accessed.

However, information that could have been accessed included login information, meaning the email address and an encrypted password. Other information includes self-reported location (no longer a feature on the site), last login IP address and the name of the blog associated with the account.

While no user account information was accessed, Tumblr feels it’s important to be open with its users about the existence of the bug.

“It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love,” the open letter says. “We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do.”

You can view the full blog post below.