Tumblr Glitch Tosses Cookies of Blog Visitors
CREDIT: Tumblr, Inc.
The hours each day you spend looking at funny Tumblr blogs, or updating your own, could put you at risk for a host of security problems.
As Softpedia reported, security researchers have discovered a cross-site scripting (XSS) flaw in the hugely popular blog hosting platform that could allow an attacker to obtain the Web cookies — small text files that store data sent from a website — of anyone who visits a Tumblr blog.
Tumblr combines elements of social networking and blogging. Users are invited to create accounts, after which they can follow other Tumblr users and are encouraged to create their own posts that others can follow.
Using these stolen Tumblr authentication cookies, the attacker could hijack the victim's accounts, researcher Aditya Gupta, who found the flaw with Subho Halder, told Softpedia. In the hands of an attacker, a Tumblr blog could also be exploited to potentially harm, and certainly bother, those who visit the flawed site.
"I could make a complete worm out of it," Gupta said, "so when one person views my profile, he would repost my post and everyone in his list who would see it would then be doing the same. All automatically and without the user's knowledge."
Considering the 59.5 million blogs hosted on Tumblr have published nearly 25 billion posts, a small flaw on the site could lead to big trouble.
Gupta said he and Halder made their discovery public only after contacting Tumblr but failing to get the blog site's attention. To give Tumblr time to fix the security vulnerability, the researchers did not release details of their findings.