Tumblr Bug Bounty ( $200)

Hi everyone,

I want to tell how i got $200 from tumblr bug bounty program.

  1. Follow by email allows for following by unverified emails ( $100)
  2. Theme Assets uploader allows HTML content ( $100)

First bug is based on email adding.You can add email without verified but that is not vuln and it not effect to tumblr customer.

I found function on tumblr that allow to search blog using email.

Image for post
Image for post

So attacker create tumblr blog using vitcim’s domain. When other user search vitcim’s domain email,they see attacker’s blog.

Image for post
Image for post

I report to tumblr via hackerone.They accept my report and award $100.

Report: https://hackerone.com/reports/762121

Second bug is file upload bypass.They allow to upload to blogger for theme assets.Buy they does not allow html file to upload.But they allow json file.

I try to upload json file with html code.Faillll

Image for post
Image for post

I use file.json with json code that include alert code.

Image for post
Image for post

Successfully.I try to using with double extenesion file.json.html Boom!!!.Uploaded file.Go to file path and i got alert.

Image for post
Image for post

I report to tumblr and i got $100 again.

Report : https://hackerone.com/reports/769998

I am noob but i am lucky man.Thank for reading.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store