Tumblr的Post+系统中发现一个低影响但意外的漏洞:用户可订阅已退出Post+的创作者。该漏洞涉及访问控制和支付流程问题,并最终为报告者带来$100奖励。 2025-7-19 13:12:50 Author: infosecwriteups.com(查看原文) 阅读量:12 收藏
A low-impact but unexpected behavior in Tumblr’s Post+ system allowed subscriptions to creators who had already opted out — here’s how I found it, how it worked, and why it still mattered.
Introduction
Tumblr’s Post+ was designed to let creators monetize exclusive content. But what happens when a user can still subscribe to a creator who has already opted out?
While this behavior might seem harmless at first glance, digging deeper reveals unexpected application logic — leading to inconsistencies in access control, payment flow, and potentially creator visibility.
In this write-up, I’ll walk you through a quirky but fascinating bug that allowed me to subscribe to an inactive Post+ creator, earning a $100 bounty for responsibly reporting the issue to Automattic.
Understanding Tumblr’s Post+ and the Bug Context
Tumblr’s Post+ feature relies on a WooCommerce-powered payment flow that links a creator’s Post+ status to a unique blogMembershipsId. When a creator opts in, a checkout URL is generated using that ID. If they opt out, the expectation is that the creator’s Post+ content and checkout capabilities are disabled.
如有侵权请联系:admin#unsafe.sh