Tumblr shares iPhone and iPad passwords with the world

password Many are irked at Tumblr selling out to Yahoo!, and more will be even more annoyed when they learn that Tumblr's iOS app fails to log users in through a secure server, which means that users' plaintext passwords are freely available to anyone who is able to, as The Reg puts it, 'sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats'n'grumble free-content platform.'

This security cock-up was found by a Reg reader while they were auditing their employer which iOS apps were permissible for use on corporate smartphones.

"I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorised access to company data, contacts, etc)," he explains.

"It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does."

"The Tumblr iOS app is sending the password over plain text and not over SSL," said the source, adding; "we are not talking about password reminders but about just opening the app and logging in through the iOS app."

The person who found this out went public after Tumblr's support team ignored him.

So, if you've been using Tumblr over an insecure wireless network, it isn't difficult for someone to capture your session log-in cookie, which means that people could well hack into your Tumblr account (or, more likely, your son or daughter's Tumblr) and swipe all those naked pictures they've been uploading in private posts.

Tumblr are rolling out a fix for this and has urged users to change their passwords.

1 comment

  • steveblag
    Whilst true, this is also true of facebook and (at least last time I checked) twitter as well. Anyone who can download faceniff will know this. Facebook, for one, has refused to change this, and so the security hole remains wide open. Moral of the story: either don't use these sites or ensure the settings mean a secure password authentication is used.

What do you think?

Your comment