Tumblr Users Should Beware of Cookie Thieves

Two researchers say they’ve found a security hole in Tumblr, one of the most popular sites on the Internet, that could steal users’ authentication cookies to break into their accounts.

Aditya Gupta and Subho Halder say they’ve tried to contact Tumblr about the vulnerability by using mail and Twitter, but so far no one has responded. The social sharing site hosts 59.4 million micro blogs and has published almost 25 billion posts.

The pair says they have identified a dangerous cross-site scripting vulnerability that poses risks for the site’s users, according to the site Softpedia.

“I could get the cookies of any user who visits my profile page. They are the actual Tumblr authentication cookies, which means I could use the cookies to log in to the respective user accounts,” Gupta said. “Also, I could make a complete worm out of it, so when one person views my profile, he would repost my post and everyone in his list who would see it would then be doing the same. All automatically and without the user’s knowledge.”

via Threatpost

Notes

  1. nursegeorgie reblogged this from vespermartini
  2. tanya77 reblogged this from winstonwolfe and added:
    "Aditya Gupta and Subho Halder say they’ve tried to contact Tumblr about the vulnerability by using mail and Twitter,...
  3. anakinkendrick reblogged this from skittyish
  4. alectointhunderland reblogged this from ro-s-a-spark-s
  5. mosteeze reblogged this from war-horse-can-dance
  6. war-horse-can-dance reblogged this from arrestomomentum
  7. knope4president reblogged this from vespermartini
  8. arrestomomentum reblogged this from yonggux
  9. raakkel reblogged this from applebutterbomb
  10. theprinceisgone reblogged this from strodae
  11. skittyish reblogged this from taozitao
  12. jennjenn202 reblogged this from xiuminswaifu
  13. teddybearsweaters reblogged this from taozitao
  14. angelsscream reblogged this from witchsistah
  15. witchsistah reblogged this from deliciouskaek
  16. feedmyobsessions reblogged this from curtainwitcharchive
  17. yabamena reblogged this from emilyhegarty and added:
    Gee, someone points out something wrong with Tumblr and Tumblr staff does nothing? I’m shocked. Shocked, I say.
  18. emilyhegarty reblogged this from infoneer-pulse and added:
    How concerned should we be about this?
  19. awolfsodire reblogged this from edmurettully
  20. strodae reblogged this from senpaiz
  21. senpaiz reblogged this from zhdukem
  22. godric reblogged this from curtainwitcharchive
  23. scoldylocked reblogged this from glossylalia and added:
    Um.
  24. xiuminswaifu reblogged this from taozitao
  25. yushiny reblogged this from taozitao
  26. zhdukem reblogged this from taozitao
  27. taozitao reblogged this from kaisoompreg