July 9th 2022 archive

I’ve never seen a more unprofessional site in my life.

Through dumb luck, I was able to get a hold of someone on Twitter who claimed to work for Tumblr’s security. At best, this was dubious. But even giving him a thorough explanation of the site security issues that I had been attempting to report to Tumblr since the middle of May — the oauth issues, which allow hackers to brute force themselves into the back end of Tumblr’s site at a higher authorization level than they should have, effectively making the site their playground to do with as they pleased — he refused to take me seriously because I would not give him the aliases of the hackers that I knew to have been involved in the mid-May data breach, and he persisted in continuing to ask me for screenshots of people’s e-mail addresses and plain text passwords (which were not something that I was comfortable with going to all of the effort of getting for him because that meant that even more people who should not have known these things would be laying eyes on them, and it was not as though he couldn’t have found this out from himself looking at the database that these things were being stored in). It was hilarious that he insisted on Tumblr site passwords being hashed and salted, though — the person that reached out to me as a direct result of a blog post of mine in here that addressed it laughed when I brought that up to him and mentioned how pathetically easy it was for the passwords to be brute-forced into plain text, and I believe someone who has been in the periphery of the friends’ circle of people that I grew up with before I would ever believe some pompous prick.

Although it did amuse me a little bit to see how incensed I made this alleged “site security” person mentioning that Tumblr was not and never would be a safe site for minors to use (and that, at that, I did not want and would not be letting my own minor children have accounts on or even use the site for a multitude of reasons), the straw that seemed to break the camel’s back was him figuring out that more than one hacker had gotten into Tumblr’s back end in 2013 when one of them made it public knowledge… and that I had alluded to there being more than one, suggesting that I knew who the other person was and following that up with me stating that I would not be giving that information to Tumblr either. Someone I knew who was willing to do some white hatting, as the kids like to call it, for me was able to confirm that the oauth exploit continues to exist to this day and can be exploited by any hacker with enough knowledge and persistence, which puts to rest this “not being a problem”. At the end of my conversation with Tumblr “site security”, I actually asked Tumblr to IP ban me because I did not and do not even want to risk my children accidentally finding the site. And I will regularly be asking Tumblr to do it until they actually do it, too…