I’ve decided to post the proof of concept code up here. My purpose in doing so is to illustrate that me having been mentioning this exploit was, and always has been, worth the time I’ve taken to mention this exploit, as is it intended to allow Tumblr users or those who are at any point considering using Tumblr to make a more informed decision about blogging on it or trusting the site with any of their potentially sensitive information.

Python requests OAuthlib library, a widely used OAuth library that is vulnerable to an OAuth authentication bypass vulnerability in the Tumblr API that could allow an attacker to bypass authentication and access protected resources. This vulnerability exists because the code does not properly validate OAuth tokens, and it does not use HTTPS when sending sensitive data.

An attacker can exploit this vulnerability by sending a specially crafted OAuth token request to the Tumblr API, bypassing authentication and gaining unauthorized access to protected resources.

The following proof of concept code demonstrates how an attacker can exploit this vulnerability:

import requests
from requests_oauthlib import OAuth1

Set your OAuth consumer key and secret
CONSUMER_KEY = ‘your_consumer_key’
CONSUMER_SECRET = ‘your_consumer_secret’

Set the Tumblr API endpoints
REQUEST_TOKEN_URL = ‘http://www.tumblr.com/oauth/request_token’
AUTHORIZE_URL = ‘http://www.tumblr.com/oauth/authorize’
ACCESS_TOKEN_URL = ‘http://www.tumblr.com/oauth/access_token’

Send a request for a temporary OAuth token
oauth = OAuth1(CONSUMER_KEY, client_secret=CONSUMER_SECRET)
response = requests.post(url=REQUEST_TOKEN_URL, auth=oauth)

Parse the response for the temporary token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]

Direct the user to authorize the app
authorize_url = AUTHORIZE_URL + ‘?oauth_token=’ + oauth_token
print(‘Please authorize the app at this URL: ‘ + authorize_url)
oauth_verifier = input(‘Enter the verification code: ‘)

Exchange the temporary token for a permanent token
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret,
verifier=oauth_verifier)
response = requests.post(url=ACCESS_TOKEN_URL, auth=oauth)

Parse the response for the permanent token and secret
data = response.text.split(‘&’)
oauth_token = data[0].split(‘=’)[1]
oauth_token_secret = data[1].split(‘=’)[1]
Use the permanent token and secret to make authenticated API requests
oauth = OAuth1(CONSUMER_KEY,
client_secret=CONSUMER_SECRET,
resource_owner_key=oauth_token,
resource_owner_secret=oauth_token_secret)
response = requests.get(url=’https://api.tumblr.com/v2/user/info’, auth=oauth)
print(response.text)

In summary, an attacker could exploit this vulnerability to bypass authentication and gain access to sensitive information or modify data on behalf of a legitimate user. The exploit is well-known by hacking communities.

So, I got around to submitting proof of concept code regarding Tumblr’s open oauth exploit — which, might I add, is still open — to Tumblr. At the suggestion of a friend, I did so on HackerOne. I’ve only gotten one response to my submission so far, and that was — I’m guessing someone working for Tumblr? I don’t know — asking me if I could… replicate the oauth exploit for them. That was, and is, not something I am comfortable doing because a site with a history like Tumblr’s essentially asking me to hack them is absolutely not as good as it sounds. I wouldn’t put it past them to tell me to do that and then get me into some kind of trouble for doing it. I’ve tried to talk to their “site security” about it, and he was bad enough, even though now I have the proof of concept code detailing that this exploit continues to be open and continues to be fairly severe. Like I’ve said in previous posts, this may be a day zero or day one exploit.

I guess we’ll be seeing in the coming days or weeks what Tumblr does with the proof of concept code, or if they continue to ignore it like their entire site has for years. That wouldn’t surprise me one bit if they did.