14 DAY TRIAL // Portuguese security researcher David Sopas has identified a DOM-based cross-site scripting (XSS) vulnerability in Tumblr. According to the expert, if unfixed, the issue could have been exploited for spamming, spreading malware and phishing.
The vulnerability, present at assets.tumblr.com/assets/scripts/tumblelog_iframe.js, existed because of two variables that were not properly sanitized. The security hole could have been exploited even by an unauthenticated attacker.
The expert reveals that it took Tumblr over two months to address the flaw. Even after fixing it, the company didn’t take the time to notify Sopas.
Many researchers complained in the past about Tumblr’s lack of interest when it came to fixing security issues. It appears the company hasn’t done much to improve the way it collaborates with experts.
Additional technical details and a proof-of-concept are available on David Sopas’ blog.