Feeds

D'OH! Use Tumblr on iPhone or iPad, give your password to the WORLD

World+Cat in this case. Should call it 'Spaffr'

Seven Steps to Software Security

Exclusive Tumblr's iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users' plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats'n'grumble free-content platform.

The wide-open security howler was discovered by a Reg reader during the course of auditing for his employer which iOS apps were permissible for use on corporate smartphones.

"I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorised access to company data, contacts, etc)," he explains.

"It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does."

As part of this process our man was asked to review Tumblr as a possible app that could be installed on users' work iPhones. Checking www.cluefulapp.com appeared to give Tumblr a clean bill of health. However he had a shock when he checked the network traffic. Screenshot here (note - email address used was disposable and password has been changed, our source assures us).

"The Tumblr iOS app is sending the password over plain text and not over SSL," our source explained, clarifying "we are not talking about password reminders but about just opening the app and logging in through the iOS app."

"This occurs when you first log into the application, although I didn't check past the initial logon screen," he added.

The same network traffic checks on a Mac revealed that login to Tumblr in this case was passed through a secure server, which avoided the exposure of username and passwords in plain text.

In all the iOS app testing our source carried out, he removed the SIM card so all the data travelled across a Wi-Fi network. The risk posed by the behaviour is obviously more severe if the Wi-Fi network being used is open and insecure, as is often the case with Wi-Fi hotspots in travel hubs such as airports and train stations, hotels and coffee shops.

Our source only came to El Reg with the issue after failing to get it resolved by simply reporting it to Tumblr's support team.

Dodi Glenn, director of security content management at ThreatTrack Security, confirmed that the Tumblr iOS failed to pass initial logins through a secure server.

“For an application like Tumblr, there should be no reason not to pass the login information over SSL," Glenn told El Reg. "We simply ran a firewall on a device in order to get some visibility of where the login process was going. Our investigation, though not scientific, suggests that it has one SSL connection but not at the point of logging in.”

The FireSheep network sniffing tool made it childsplay for anyone to capture your session log-in cookie from users on the same insecure wireless network. The appearance of the tool prompted sites like Twitter and Gmail to offer encrypted versions of their services via HTTPS connections. But at a time when always-on encryption is becoming more widespread Tumblr is failing to apply any encryption for the most sensitive part of the process, the initial login, for users of its native iOS app.

We've reported this issue to both Tumblr and Yahoo, which completed its acquisition of the micro-blogging service last month, but are yet to get anything more than an acknowledgement of receipt from either party. We'll update this story as and when we hear more. ®

Updated to add

Last night Tumblr released "a very important security update" for its iPhone and iPad app that fixes "an issue that allowed passwords to be compromised in certain circumstances". The sex-blog platform also urged users to change their passwords on Tumblr and anywhere else they've used the same password.

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.