The full story, however, wasn't disclosed until Wednesday when the Register explained the background. One of its readers had discovered the vulnerability and reported it to the publication. He did so, says El Reg, only "after failing to get it resolved by simply reporting it to Tumblr's support team."
The reader had been charged by his company with reviewing apps that would be suitable for use on company iPhones. Tumblr was one of these. He checked it against BitDefender's Clueful app, and found it wasn't doing anything unexpected. But then he used Wireshark to examine the data actually being sent out by the Tumblr app.
What he found was that the password, at login, was being sent unencrypted. El Reg reports, "The Tumblr iOS app is sending the password over plain text and not over SSL", our source explained, clarifying "we are not talking about password reminders but about just opening the app and logging in through the iOS app."
In other words, anyone with access to the same wireless network would be able to acquire the user's unencrypted password whenever the user logged into Tumblr. "The risk posed by the behavior", noted El Reg, "is obviously more severe if the Wi-Fi network being used is open and insecure, as is often the case with Wi-Fi hotspots in travel hubs such as airports and train stations, hotels and coffee shops."
The danger with a vulnerability like this is that a user could be compromised without ever knowing it. If the same password is reused for other online accounts, then they too could be compromised. "If you’ve been using these apps", says Tumblr, "you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass."
"Obviously, it’s good news that Tumblr has now released a version of its app which fixes this flaw", commented Graham Cluley. "But the gaping security hole shouldn’t have been present in the first place. And an updated app doesn’t rescue any users’ passwords which may have been stolen or exposed up until now."
The missing part to this story is why Tumblr did not respond when the vulnerability was first reported by El Reg's reader. Nor, it appears, was it very forthcoming to El Reg itself. "We've reported this issue to both Tumblr and Yahoo, which completed its acquisition of the micro-blogging service last month, but are yet to get anything more than an acknowledgement of receipt from either party." The Timblr update statement makes no reference to the source of the vulnerability.