Tumblr, the blogging and content sharing web site issued an urgent warning to those using its mobile application for Apple iPhones and iPads to update their Tumblr application – ASAP – after it was apparently found to be transmitting user names and passwords in the clear.
In a blog post on Tuesday, Derek Gottfrid, the Vice President of Product at the New York City-based firm, said that the company had issued an update to the iOS version of Tumblr’s mobile application to fix an issue that allowed Tumblr passwords to be sniffed in transit on certain versions of the iOS Tumblr application for iPhone and iPad.
Gottfrid did not explain the reason for the sudden update. However, a report by the UK publication The Register claims that the rush update came after Tumblr was made aware that the iOS versions of its application was not using SSL (Secure Socket Layer) to manage traffic from the mobile device. That allowed user login information to be viewed “in the clear” on an unprotected wi-fi network.
Users of those mobile applications were encouraged to download and install Version 3.4.1 of the iOS Tumblr application. Tumblr had issued an update to its mobile applications for iOS and Android on July 9. It is unclear whether the password sniffing problem was introduced with that update, or whether it was a pre-existing issue.
Gottfrid advised mobile application users to update their password on Tumblr and on any sites where they had used the same username and password combination as with Tumblr.
“Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience,” Gottfrid wrote.
Online media giant Yahoo Inc. purchased Tumblr for $1.1 billion in May in an effort to leverage Tumblr’s growing and youthful population of users. Yahoo has said it will run Tumblr as an independent business unit within the company for the time being, with CEO and founder David Karp staying on as CEO.