A few days ago, I have tested the site Tumblr.com (one of the most popular mini-blog platforms) and saw something quite fun (and strange) that you can logout anyone account at Tumblr when they visit your blog.
The point is Description field, this field will display on your homepage but it not only enable to input text but also the JavaScript. Below is my step:

  • Login to your account.
  • Edit theme (https://www.tumblr.com/customize).
  • At Description field, enter the script:

  • Save, go to the main URL and check.

Example: http://buithanhsang.tumblr.com/

Tumblr_logout

Whenever the user visits your blog, the logout function will automatically activate and some inconvenience will happen. This is not a big risk to web security, but so annoyed if it happens to the user.

I have reported this issue to Tumblr team and they think “We feel attackers capable of enticing users to click on links to their blogs have other methods that could lead to the same affect (overflowing the cookie jar to bump out Tumblr cookies)“. But the good news is “However, we are coincidentally currently working on better protections against malicious attempts to forcibly log people out by similar means.

Just share to improve the product quality, do not use this for your bad ideas 🙂

 

Leave a Comment

Your email address will not be published. Required fields are marked *