This might be the first nerd-blog post in a long time, so my apologies if I startle anyone. As a quick update, I wrote a book on security in Drupal and then founded a company focused on Drupal security services and then sold that company to Acquia where I currently work.
So....Tumblr is a big deal. They apparently have 120million users and are totally awesome.
Want to see the problem in action? I even made this handy dandy movie of the problem:
It's also worth noting that it was relatively difficult to figure out how to report a security issue to their engineering team. In the end I just sent a support message to tumblr via the normal support channel which got an "auto-deflect" response. I had to re-open it by responding to get a human to look at it. IMO, if you have a web property with more than a few hundred users, you should have a policy around submitting security issues that is really dang easy for people to follow.