The flaw could be leveraged to steal user cookies and more
“As you can see, I could get the cookies of any user who visits my profile page. They are the actual Tumblr authentication cookies, which means I could use the cookies to login to the respective user accounts,” Gupta explained.
And apparently stealing user sessions is not the only thing that could be achieved by using this weakness. An attacker could leverage this flaw to cause even more serious damage.
“Also, I could make a complete worm out of it, so when one person views my profile, he would repost my post and everyone in his list who would see it would then be doing the same. All automatically and without the user’s knowledge,” he told us.
While the vulnerability seems highly dangerous, the researchers claim that so far Tumblr has ignored their findings.
“I have tried to contact them via Twitter and mail earlier, but no response from their side. So we have decided to release it. Well, not exactly where the vulnerability is, but just to let them know that it is vulnerable,” Gupta said.
Hopefully Tumblr will act on addressing the issue before a cybercriminal mastermind sees a “business opportunity” in it.
The experts have provided a working proof-of-concept, which of course we will not make public, at least not until the bug is fixed.