It’s been a few days that I decided to host my blog on Tumblr. The feature set, UI and companion applications offered by this popular blogging platform suits my needs and give me a lot of flexibility with regard to my posting patterns.
One of the features it offers is the possibility to publish posts by sending emails to a private email address. This is particularly nice if you are on the road with no or intermittent Internet access for example. You can just write the email and “send” it. It will be then queued for delivery by your mail client. Moreover, email posting is very flexible as you can use Markdown to nicely format your post.
However this flexibility comes at a cost in terms of security. Earlier today, Sascha and I tested the security of this service. I gave him my private email address -something an “attacker” might obtain while shoulder surfing for example- and he successfully posted to my blog using his own email address and without faking the email headers of my regular mail client. And as my blog is configured to automatically push posts to Twitter and FaceBook, his fake post appeared there as well.
Tumblr doesn’t notify when someone posts from an email address that was never used before and there is no access list functionality that allows you to whitelist the email addresses authorized to post to your blog. Last but not least, I haven’t found a way to turn off email posting altogether.
Sascha has a very nice write-up about this. Highly recommended read!
Conclusion: Protect your Tumblr private email address dearly.
-
myblogself posted this
