Your one-stop web resource providing safety and security information to manufacturers

There is a DOM-based cross-site scripting (XSS) vulnerability in Tumblr, a researcher found.

If unfixed, the issue could end upexploited for spamming, spreading malware and phishing, said Portuguese security researcher David Sopas.

RELATED STORIES
Tumblr Fixes iOS Apps
Top Server OPC Vulnerability
Siemens Patches COMOS Hole
Sixnet Creates Universal Protocol Version

The vulnerability, present at assets.tumblr.com/assets/scripts/tumblelog_iframe.js, existed because of two variables not properly sanitized. The security hole could end up exploited even by an unauthenticated attacker.

For those that are not aware, Tumblr is a blogging platform that allows users to post text, images, videos, links, quotes and audio to their tumblelog, a short-form blog.

Cyber Security

“When using this awesome blog platform — which hosts more than 138,4 million blogs — I came across a vulnerability that could be used by malicious users for a variety of illegal activities (steal user credentials, spread malware, spamming, etc),” Sopas said on his blog.

“This vulnerability could put millions of web surfers at risk of malicious user attacks,” he said.

Sopas said it took Tumblr over two months to address the flaw. Even after fixing it, the company didn’t notify Sopas.

Additional technical details and a proof-of-concept are available on Sopas’ blog.

Pin It on Pinterest

Share This