Tumblr Fixes DOM XSS Bug

Thursday, September 26, 2013 @ 06:09 PM gHale

There is a DOM-based cross-site scripting (XSS) vulnerability in Tumblr, a researcher found.

If unfixed, the issue could end upexploited for spamming, spreading malware and phishing, said Portuguese security researcher David Sopas.

Tumblr Fixes iOS Apps
Top Server OPC Vulnerability
Siemens Patches COMOS Hole
Sixnet Creates Universal Protocol Version

The vulnerability, present at assets.tumblr.com/assets/scripts/tumblelog_iframe.js, existed because of two variables not properly sanitized. The security hole could end up exploited even by an unauthenticated attacker.

For those that are not aware, Tumblr is a blogging platform that allows users to post text, images, videos, links, quotes and audio to their tumblelog, a short-form blog.

“When using this awesome blog platform — which hosts more than 138,4 million blogs — I came across a vulnerability that could be used by malicious users for a variety of illegal activities (steal user credentials, spread malware, spamming, etc),” Sopas said on his blog.

“This vulnerability could put millions of web surfers at risk of malicious user attacks,” he said.

Sopas said it took Tumblr over two months to address the flaw. Even after fixing it, the company didn’t notify Sopas.

Additional technical details and a proof-of-concept are available on Sopas’ blog.

Leave a Reply

You must be logged in to post a comment.