In case anyone wonders about Tumblr’s opsec…

In case anyone’s wondering about Tumblr (which I know I’ve mentioned in here before), to the best of my knowledge — and I grew up around people who became experts in fields like computing, graphics design, hacking, programming, and web design — it has not been made any safer. One of my friends, who is brilliant at what he is able to do, regularly confirms that Tumblr’s oauth exploit is still there whenever conversation about Tumblr shows up… usually on Twitter, and especially since Elon Musk now owns it. This continues to lead to the ability for hackers to session hijack, so it shouldn’t surprise anyone that this is continuing to be done by hackers… and the more innovative of them are using staff logins to hide their tracks, although I’ve long since joked — which is not a joke at this point — that any hacker who knows his way around a tin can knows how to hide evidence that he was hacking. Tumblr has been hacked into far more times than they have ever been willing to admit to, because the only times they admit to it are when they find evidence that they have been hacked or when a hacker goes public with the fact that they did so and Tumblr wants to save face. Their “site security” only cares about keeping the site safe and secure if enough information can be given to Tumblr about the hackers to facilitate pursuit of them via law enforcement and the court system, otherwise they don’t care to fix day zero exploits that have very likely been around since the site was first formed. At one point someone had actually injected malware into Tumblr uploading it through the oauth exploit, which I actually screenshot on my computer as I had been attempting to view a friend’s Tumblr when my firewall began telling me that it was blocking attempts Tumblr had been making to infect my computer… but that actually seemed to get fixed within a few days, although Tumblr has been mum on the whole issue.

To be honest, I continue to advise people not to use Tumblr, and I am all the more vigilant advising parents not to let their minor children (teenagers) make an account on Tumblr. The safety issues are too much, there are almost no instances where their content moderation team actually gets it right (let alone keeps it right) and the sheer number of exploits that are still to this day accessible on their site means that nothing you post there is even remotely safe. I do not have an account on Tumblr and I won’t ever let my kids have them.

Leave a Reply