Ever logged in to Tumblr on your iPhone or iPad? How about while logged in on a public Wi-Fi connection? If you answered yes to any of the above, you may want to change your Tumblr password ASAP.
Tumblr has just made users aware of a serious privacy compromise that enables anybody with the ability to “sniff” traffic on public Wi-Fi networks to view Tumblr users’ passwords in unencrypted plain-text format. The problem arose because the iPad and iPhone apps fail to log users in through a secure server.
An official Tumblr announcement urges Tumblr users to change their passwords immediately if they’ve used the app, and to download the newest version of the app as soon as possible:
If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.
Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.
According to the Register, a reader found the bug by chance while evaluating the Tumblr apps for suitable use on his employer’s smartphones.
It’s a surprisingly enormous security hole for the Yahoo-bought company to overlook. Anybody who has ever accessed Tumblr over public Wi-Fi from a mobile device, whether at an airport, a coffee shop, or a library, is at risk.
Fortunately, Tumblr users don’t seem to be reporting any serious consequences. The Tumblr #password and #security tags abound with users spreading the news, but not with sob stories about compromised accounts. Even if a user does find her account has been compromised, it will be hard to peg it on this security breach in particular.