Tumblr Bug Bounty ( $200)

Myo Min Thu
Feb 5 · 2 min read

Hi everyone,

I want to tell how i got $200 from tumblr bug bounty program.

  1. Follow by email allows for following by unverified emails ( $100)
  2. Theme Assets uploader allows HTML content ( $100)

First bug is based on email adding.You can add email without verified but that is not vuln and it not effect to tumblr customer.

I found function on tumblr that allow to search blog using email.

So attacker create tumblr blog using vitcim’s domain. When other user search vitcim’s domain email,they see attacker’s blog.

I report to tumblr via hackerone.They accept my report and award $100.

Report: https://hackerone.com/reports/762121

Second bug is file upload bypass.They allow to upload to blogger for theme assets.Buy they does not allow html file to upload.But they allow json file.

I try to upload json file with html code.Faillll

I use file.json with json code that include alert code.

Successfully.I try to using with double extenesion file.json.html Boom!!!.Uploaded file.Go to file path and i got alert.

I report to tumblr and i got $100 again.

Report : https://hackerone.com/reports/769998

I am noob but i am lucky man.Thank for reading.

    Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
    Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
    Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade