The Latest Tumblr Bug Is a Reminder of How Important It Is to Have Strong Passwords

Tumblr Security Bug

Although it rarely attracts as much media attention as Facebook or Twitter, Tumblr has always been one of the world's major microblogging/social network platforms. It gives hundreds of millions of users the opportunity to share thoughts and content or just waste time. When they log into their accounts on a desktop browser, these users are presented with a rather convenient 'Recommended Blogs' list which, as the name suggests, should act as a shortcut for blogs that might be of interest to them. It turns out that up until recently, it also served as a shortcut to some data that should normally be kept private.

Yesterday, Tumblr's staff announced that they had patched a rather serious security vulnerability. Apparently, using debugging software, it was possible to attack the "Recommended Blogs" widget and get users' passwords, email and IP addresses, blog titles, and location data.

Details are scarce

The bug was found by a security researcher and was disclosed privately via the microblogging platform's bug bounty program. In their post, Tumblr's people didn't name the security expert, and they decided not to say whether a bounty has been paid off. What they did point out is that within 12 hours of the private disclosure, the vulnerability was patched.

Not much was said around the bug, either. We don't know, for example, whether a browser's built-in Developer Tools would have been enough to exploit the bug or whether more specialized programs would have been needed. There's no information on how difficult the attack is to pull off, either.

There's nothing to worry about, says Tumblr

In light of yesterday's news, it's difficult to ignore the fact that Tumblr is owned by Oath. Oath, for those of you who don't know, is the new name of Yahoo! – the email provider that once suffered a cyberattack which compromised all of its 3 billion users. Thankfully, this time, such a devastating outcome is not likely.

In fact, Tumblr's post implies that the problem isn't really that big. The microblogging platform's security people said that they don't know how many users were affected by the bug, but they did point out that it was "rarely present." More importantly, found nothing to suggest that someone has actively exploited the vulnerability, and they also explained that the users' passwords, the most sensitive information that could have been exposed, had been hashed and salted, which, in theory, means that they couldn't be turned into their plaintext form.

All in all, Tumblr's people say that transparency is the only reason for disclosing the bug, and that users aren't required to change their passwords or do anything else. We, however, aren't so sure.

Indeed, if Tumblr's blog post is to be believed, this particular security bug won't affect anybody. The next time an online service is vulnerable, however, the security hole might be spotted not by a researcher, but by a hacker. And the next time, the passwords might not be salted and hashed.

As we mentioned last week, believing that every single online platform you sign up for will do enough to protect your data is not a very good idea. So, while you might be feeling thankful for Tumblr's honesty, you should also view the bug as proof that security vulnerabilities, both known and unknown, are everywhere. Taking precautions that would limit the damage in case of a potential breach is much easier than picking up the pieces after it has happened. Having strong, unique passwords for all your accounts is just one such precaution.

October 18, 2018