I need to make a tag for these kinds of posts.

So, I got around to submitting proof of concept code regarding Tumblr’s open oauth exploit — which, might I add, is still open — to Tumblr. At the suggestion of a friend, I did so on HackerOne. I’ve only gotten one response to my submission so far, and that was — I’m guessing someone working for Tumblr? I don’t know — asking me if I could… replicate the oauth exploit for them. That was, and is, not something I am comfortable doing because a site with a history like Tumblr’s essentially asking me to hack them is absolutely not as good as it sounds. I wouldn’t put it past them to tell me to do that and then get me into some kind of trouble for doing it. I’ve tried to talk to their “site security” about it, and he was bad enough, even though now I have the proof of concept code detailing that this exploit continues to be open and continues to be fairly severe. Like I’ve said in previous posts, this may be a day zero or day one exploit.

I guess we’ll be seeing in the coming days or weeks what Tumblr does with the proof of concept code, or if they continue to ignore it like their entire site has for years. That wouldn’t surprise me one bit if they did.

Leave a Reply