I have found at api.tumblr.com two parameters
consumer_secret allow to modify
oa_consumer_secret cookies values and property.
An attacker can send a malicious link to reset the cookies of api.tumblr.com, this lead to DOS. To trigger the DOS, the target/victim account need to click a malicious link.
To restore the account, the victim need to delete all cookies on api.tumblr.com.
Similar issues : https://hackerone.com/reports/583819
Login at https://www.tumblr.com/
Go to https://www.tumblr.com/oauth/apps and create a random application
/!\ if the cookies "oa-consumer_key" && "oa_consumer_secret" already exist the attack doesn't work /!\
After, create your application, click to this malicious following link
Go back to https://www.tumblr.com/oauth/apps and try to connect to api.tumblr.com by clicking in "Explore API". You will be redirected to https://www.tumblr.com/oauth/authorize?oauth_token=*&source=console and click to authorize
loggout and login at tumblr.com
Try again to connect to your application
You can follow me in the video POC.
Thanks, good bye.
Denial of Service and cookies manipulation