Tumblr has issued what they are calling a very important security fix for their iOS app. Users are urged to download the update ASAP and update their password on Tumbler and any other site where they used the same password.
An official statement on the Tumblr Staff blog didn’t delve into any specifics outside of mentioning an issue that allows passwords to be compromised in certain circumstances. According to The Register, however, Tumblr’s iOS app failed to log users in through a secure (SSL) server. This meant that anyone able to sniff traffic on a Wi-Fi network could intercept plaintext passwords. Whoops.
The publication became aware of the vulnerability after a reader found it during an audit of iOS apps for his employer. Specifically, he was asked to investigate which iOS apps would be suitable for company use. He used Wireshark and a few other programs / websites to check what each app was doing when he discovered the Tumblr vulnerability.
The reader first submitted the vulnerability to Tumblr’s support team but when it was not resolved, he took the information public.
We have no way to know exactly how many accounts / passwords may have been compromised but considering the fact that Tumblr has over 100 million users and more than 50 million blog posts, it probably isn’t a small figure. For what it’s worth, the vulnerability doesn’t appear to affect the Android app.