Blogging platform Tumblr has revealed today that its site's desktop interface was affected by a bug that could have been abused to leak users' personal information.
Following an investigation, the company said it found "no evidence of this security bug being abused."
The issue, disclosed earlier today by the Tumblr staff, was located in the code of the "Recommended Blogs" widget that shows up on the desktop version of Tumblr blogs.
The widget, as its name implies, is only visible to logged-in users, and shows a rotating list of blogs that users should follow.
Tumblr said that "it was possible, using debugging software in a certain way, to view certain account information" for blogs that were listed in the Recommended Blogs widget.
"This included email address, protected (hashed and salted) password of the Tumblr account, self-reported location (a no longer available feature), previously used email addresses, last login IP address, and the name of the blog associated with the account," Tumblr said[1].
The company claimed that it "thoroughly investigated any way in which our community could have been affected," but found no evidence that an attacker had used this vulnerability to retrieve user data.
"We're not able to determine which specific accounts could have been affected by this bug, but our analysis has shown that the bug was rarely present," the company added.
Tumblr said it became aware of the issue after a security researcher found the bug and reported the problem through its bug bounty program.
The company didn't reveal the researcher's name but said it patched the vulnerability 12 hours after it received the researcher's report, "a few weeks ago."
In the past month, a large number of Silicon Valley companies have reported security incidents,