A bug in Tumblr’s “Recommended Blogs” feature was fixed that disclosed private and personal information about the owner of the recommended blogs.
The Recommended Blogs feature displays a list of blogs that a logged in user may find interesting. You can see an example of the Recommended Blogs feature below.
According to Tumblr, a security researcher disclosed this bug through Tumblr’s bug bounty and it was fixed by Tumblr’s engineering team within 12 hours of it being reported.
Using debugging tools, a logged in user could access private account information for each listed blog that included IP addresses, email addresses, and hashed passwords. Tumblr has stated that their is no evidence that indicates that this bug was ever exploited and have further said that the bug was rarely present.
“We’re not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present,” stated Tumblr’s security disclosure. “When it was, it was possible that certain user account information could have been viewed. This included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account.”