Article Lead Image

Researcher offers tips to avoid Tumblr’s security hole

Aditya Gupta, who discovered a vulnerability in Tumblr's system last weekend, explains how users can help prevent getting their cookies stolen. 


Fernando Alfonso III


Posted on Jun 15, 2012   Updated on Jun 2, 2021, 3:43 pm CDT

Tumblr has recruited the help of two Indian researchers who are working to fix a security hole that leaves users’ cookies available to hackers.

Aditya Gupta, 21, and fellow security researcher Subho Halder, 22, discovered the hole sometime last weekend when they were trying to start their own Tumblr blog.

“We noticed that it allows HTML content to be used in the posts. However, Tumblr did enforced security measures to be safe from hackers, but they weren’t strong enough,” Gupta told the Daily Dot in a Facebook message. “The vulnerability we discovered is called Cross Site Scripting, also known as XSS. Using a XSS attack, a hacker could put a XSS payload, in suppose his Tumblr post, and all the users who visit it, will get infected depending on the payload used by the attacker.”

Gupta, who is a student at India’s Kalinga Institute of Industrial Technology, took time to explain to us how Tumblr users can protect themselves.

Daily Dot: You say that the vulnerability allows for users cookies to be stolen. What does it mean for users’ information?

“The vulnerability does allow for cookies to be stolen, but only after a little bit of manipulation and social engineering. What we could do is, to open a full page iframe in the website, which appears to be the Tumblr login page. So, even if when the user checks the link to validate whether the login is real or not, he would be confirmed, since it would be the original Tumblr url. So he would easily enter his login credentials, and we would be getting it.

“Also, not only this, even if he [doesn’t] enter his username and password, we could make a XSS payload, so that as soon as the user visits my blog, his computer would be infected and installed by my backdoor.”

DD:  What can Tumblr users do to protect themselves?

“Make sure you don’t click on any suspicious links. And regarding the vulnerability which we have discovered, right now there is no fix for it. Unless Tumblr fixes it. We are in talks with Tumblr now.”

DD: Do you think we will begin to see more of these issues on Tumblr?

“Yes, this is a trend. XSS is not so uncommon. A lot of XSSes are found in even websites such as Google and Microsoft. We also found and reported a similar issue in Microsoft Bing communities, but that was much severe one than this. Microsoft guys were prompt enough to respond and fix, also mentioning us in their Security Researchers list. These kinds of issue will grow more on any website that allows users to upload/write their content, unless proper safety measures have been taken by the developer.”

DD:  Any last thoughts on the security issue?

“Users need to be careful while surfing online. Not only Tumblr, any website you visit, you have to be careful and make sure not to go for things such as ‘who viewed your profile,’ ‘dislike button’ and so on.

“Web developers need to use proper safety practices in their Web applications. Cause at the end of the day, it’s users safety and satisfaction that matters.”

Photo via Facebook

Share this article
*First Published: Jun 15, 2012, 3:44 pm CDT