Tumblr Users Should Beware of Cookie Thieves

Two researchers say they’ve found a security hole in Tumblr, one of the most popular sites on the Internet, that could steal users’ authentication cookies to break into their accounts.

Aditya Gupta and Subho Halder say they’ve tried to contact Tumblr about the vulnerability by using mail and Twitter, but so far no one has responded. The social sharing site hosts 59.4 million micro blogs and has published almost 25 billion posts.

The pair says they have identified a dangerous cross-site scripting vulnerability that poses risks for the site’s users, according to the site Softpedia.

“I could get the cookies of any user who visits my profile page. They are the actual Tumblr authentication cookies, which means I could use the cookies to log in to the respective user accounts,” Gupta said. “Also, I could make a complete worm out of it, so when one person views my profile, he would repost my post and everyone in his list who would see it would then be doing the same. All automatically and without the user’s knowledge.”

via Threatpost

Notes

  1. nursegeorgie reblogged this from vespermartini
  2. tanya77 reblogged this from winstonwolfe and added:
    “Aditya Gupta and Subho Halder say they’ve tried to contact Tumblr about the vulnerability by using mail and Twitter,...
  3. lawkshammercy reblogged this from witchsistah
  4. anakinkendrick reblogged this from skittyish
  5. alectointhunderland reblogged this from ro-s-a-spark-s
  6. mosteeze reblogged this from war-horse-can-dance
  7. war-horse-can-dance reblogged this from arrestomomentum
  8. knope4president reblogged this from vespermartini
  9. arrestomomentum reblogged this from yonggux
  10. raakkel reblogged this from applebutterbomb
  11. theprinceisgone reblogged this from afternoondlite
  12. skittyish reblogged this from taozitao
  13. jennjenn202 reblogged this from xiuminswaifu
  14. teddybearsweaters reblogged this from taozitao
  15. angelsscream reblogged this from witchsistah
  16. witchsistah reblogged this from deliciouskaek
  17. feedmyobsessions reblogged this from curtainwitcharchive
  18. yabamena reblogged this from winifredclare and added:
    Gee, someone points out something wrong with Tumblr and Tumblr staff does nothing? I’m shocked. Shocked, I say.
  19. winifredclare reblogged this from infoneer-pulse and added:
    How concerned should we be about this?
  20. awolfsodire reblogged this from cerseei
  21. afternoondlite reblogged this from senpaiz
  22. senpaiz reblogged this from zhdukem
  23. godric reblogged this from curtainwitcharchive
  24. scoldylocked reblogged this from glossylalia and added:
    Um.
  25. xiuminswaifu reblogged this from taozitao
  26. yushiny reblogged this from taozitao