It’s not a good day for tumbleblogging. Someone over at Hacker News just noticed that users can access an admin panel for the site by entering a simple admin URL after signing in.
Among the capabilities exposed is the ability to search for users and reset their passwords. You can also change their email addresses, view their activity logs, and change other miscellaneous settings like daily limits on post types.
According to the person who posted the exploit on Hacker News, Tumblr has already been notified of the security hole but apparently has yet to fix it. Update: They’ve just fixed it. It was a known exploit for about an hour. Update 2: Tumblr’s security notice.