Earlier today computer security consult and blogger, Graham Cluley, reported on a serious security oversight on the part of Tumblr. Cluley found that the Tumblr app for iOS devices was logging in users without dialing in to a secure (SSL) server. In plainer terms, the Tumblr app was sending over your user ID (your email address in this case) and your site password (you’re not using the same password right? RIIIGHT?) over the network as unencrypted text.
If you’ve ever logged in from your app on a public WiFi network (Starbucks, an airport, or cafe) then you should take immediate steps to protect yourself. Among the things listed, Cluley notes that users should
- Change their password immediately.
- Update your iOS app if you’re going to use it – Tumblr released a statement (copy can be found via the source link) notifying users that the app corrects the log-in issue.
Though Tumblr has taken steps to fix the issue, it would probably be “nice” if they’d make some kind of visible statement on users’ dashboards. As of this writing I have not been advised to change my password or that my information may have been compromised.