There is a DOM-based cross-site scripting (XSS) vulnerability in Tumblr, a researcher found.
If unfixed, the issue could end upexploited for spamming, spreading malware and phishing, said Portuguese security researcher David Sopas.
The vulnerability, present at assets.tumblr.com/assets/scripts/tumblelog_iframe.js, existed because of two variables not properly sanitized. The security hole could end up exploited even by an unauthenticated attacker.
For those that are not aware, Tumblr is a blogging platform that allows users to post text, images, videos, links, quotes and audio to their tumblelog, a short-form blog.
“When using this awesome blog platform — which hosts more than 138,4 million blogs — I came across a vulnerability that could be used by malicious users for a variety of illegal activities (steal user credentials, spread malware, spamming, etc),” Sopas said on his blog.
“This vulnerability could put millions of web surfers at risk of malicious user attacks,” he said.
Sopas said it took Tumblr over two months to address the flaw. Even after fixing it, the company didn’t notify Sopas.
Additional technical details and a proof-of-concept are available on Sopas’ blog.