In an open letter, Tumblr revealed that they found and fixed a security bug that could have potentially put some users' information at risk.
The blogging platform wants to be transparent by announcing this issue, and explaining how users could have been compromised. The company said that the bug was in the “Recommended Blogs” feature, which suggests accounts for users to follow.
The bug in question had allowed bad authors to use debugging software to view account information associated with that recommended blog. The information that could have been compromised, included login information, self-reported location (no longer available on the site), last login IP address and the name of the blog associated with the account.
The bug that was only present on the desktop version of Tumblr, was found by a bug bounty program run by Oath, Tumblr’s parent company, which invites security researchers to test Tumblr’s system.
Tumblr squashed the bug around 12 hours after it was initially reported. Its staffs investigated how the community could have been affected, but found "no evidence" that the bug was actually abused.
"We’ve also thoroughly investigated any way in which our community could have been affected,” the letter reads. “We found no evidence that this bug was abused, and there is nothing to suggest that unprotected account information was accessed."
But still, this shouldn't completely rule out an intrusion, despite no immediate sign of trouble.
The bug, if exploited, would have let attackers obtain the information they need for phishing scams, harassment and other campaigns.
It isn't clear if the bug affected individual accounts, according to the open letter. But an investigation concluded that the bug "was rarely present."
While Tumblr found no evidence of exploits, the company feels it’s important to be open with its users about the existence of the bug.
Its desire to be transparent with users about security bugs and potentially compromised information, comes at a time when other social media platforms are being hit with criticism. Previously, Facebook has encountered several major security flaws, including the data breach that put 50 million users at risk, leading to widespread concern among those who were affected.
"It’s our mission to provide a safe space for people to express themselves freely and form communities around things they love. We feel that this bug could have affected that experience. We want to be transparent with you about it. In our view, it’s simply the right thing to do," said Tumblr.
Tumblr's transparency does help, but it clearly shows that data security is an ongoing problem at internet giants.