Tumblr users have been urged to install a patch after it was revealed that passwords were being sent in clear text.
Tumblr product vice president Derek Gottfrid said in a statement that it had released a “very important security update” for Apple device users that addresses an issue that allowed passwords to be compromised in certain circumstances.
He said: “If you've been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It's also good practice to use different passwords across different services by using an app such as 1Password or Last Pass.
“Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.”
First reported by The Register, the flaw was discovered by a security professional during an audit of iOS applications for an organisation. He went public with the flaw after claiming Tumblr's support team failed to respond to his private disclosure.
The Register's report said that Tumblr's iOS app failed to log users in through a secure (SSL) server, meaning their plain text passwords are exposed to anyone able to sniff traffic, confirming that this occurs when you first log into the application.
Security blogger Graham Cluley said that the fix was good news, but that the hole should not have been present in the first place.
“An updated app doesn't rescue any users' passwords which may have been stolen or exposed up until now,” he said.
“Yahoo, which recently acquired Tumblr, has been in trouble with HTTPS/SSL in the past. Up until January it was one of the few major webmail providers that didn't provide an option for users to login via HTTPS/SSL. Unfortunately, last time I looked, Yahoo Mail still wasn't enabling this option by default.
“Maybe Tumblr, and its parent company Yahoo, could do with a security refresher if it is going to properly look after its many millions of users.”