The researchers say the flaw could allow a user to access the Tumblr authentication cookies of all users who visit their profile page -- and then leverage those cookies to access the other users' accounts.
What's more, Softpedia's Eduard Kovacs quotes Gupta as saying, "I could make a complete worm out of it, so when one person views my profile, he would repost my post and everyone in his list who would see it would then be doing the same. All automatically and without the user’s knowledge."
"While the vulnerability seems highly dangerous, the researchers claim that so far Tumblr has ignored their findings," Kovacs writes. "'I have tried to contact them via Twitter and mail earlier, but no response from their side. So we have decided to release it. Well, not exactly where the vulnerability is, but just to let them know that it is vulnerable,' Gupta said."
"Considering the 59.5 million blogs hosted on Tumblr have published nearly 25 billion posts, a small flaw on the site could lead to big trouble," writes SecurityNewsDaily's Matt Liebowitz.
"In May, Tumblr was hit by spam campaigns, including one designed to gain personally identifiable information through a fake dating site," notes Threatpost's Anne Saita. "Another attack posed as an outdated version of a Tumblr login page. A third scam promised to monetize users' tumblelogs for a small fee."