Tumblr’s blogging platform has its own app issue to contend with. GFI Labs reports that an add-on called “ProfileStalkr” promises to show victims how often other users visit their blogs, but actually automatically posts spam to their account.
The app, which asks for “read and write” privileges, will bombard a blog’s followers until the owner notices. The clever scammers can still post spam even after users change their passwords by taking advantage of Tumblr’s post-by-email feature, which must be reset in addition to the password change. Users must also revoke the application’s access in their Tumblr settings.