Feeds

D'OH! Use Tumblr on iPhone or iPad, give your password to the WORLD

World+Cat in this case. Should call it 'Spaffr'

Top 5 reasons to deploy VMware with Tegile

Exclusive Tumblr's iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users' plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats'n'grumble free-content platform.

The wide-open security howler was discovered by a Reg reader during the course of auditing for his employer which iOS apps were permissible for use on corporate smartphones.

"I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorised access to company data, contacts, etc)," he explains.

"It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does."

As part of this process our man was asked to review Tumblr as a possible app that could be installed on users' work iPhones. Checking www.cluefulapp.com appeared to give Tumblr a clean bill of health. However he had a shock when he checked the network traffic. Screenshot here (note - email address used was disposable and password has been changed, our source assures us).

"The Tumblr iOS app is sending the password over plain text and not over SSL," our source explained, clarifying "we are not talking about password reminders but about just opening the app and logging in through the iOS app."

"This occurs when you first log into the application, although I didn't check past the initial logon screen," he added.

The same network traffic checks on a Mac revealed that login to Tumblr in this case was passed through a secure server, which avoided the exposure of username and passwords in plain text.

In all the iOS app testing our source carried out, he removed the SIM card so all the data travelled across a Wi-Fi network. The risk posed by the behaviour is obviously more severe if the Wi-Fi network being used is open and insecure, as is often the case with Wi-Fi hotspots in travel hubs such as airports and train stations, hotels and coffee shops.

Our source only came to El Reg with the issue after failing to get it resolved by simply reporting it to Tumblr's support team.

Dodi Glenn, director of security content management at ThreatTrack Security, confirmed that the Tumblr iOS failed to pass initial logins through a secure server.

“For an application like Tumblr, there should be no reason not to pass the login information over SSL," Glenn told El Reg. "We simply ran a firewall on a device in order to get some visibility of where the login process was going. Our investigation, though not scientific, suggests that it has one SSL connection but not at the point of logging in.”

The FireSheep network sniffing tool made it childsplay for anyone to capture your session log-in cookie from users on the same insecure wireless network. The appearance of the tool prompted sites like Twitter and Gmail to offer encrypted versions of their services via HTTPS connections. But at a time when always-on encryption is becoming more widespread Tumblr is failing to apply any encryption for the most sensitive part of the process, the initial login, for users of its native iOS app.

We've reported this issue to both Tumblr and Yahoo, which completed its acquisition of the micro-blogging service last month, but are yet to get anything more than an acknowledgement of receipt from either party. We'll update this story as and when we hear more. ®

Updated to add

Last night Tumblr released "a very important security update" for its iPhone and iPad app that fixes "an issue that allowed passwords to be compromised in certain circumstances". The sex-blog platform also urged users to change their passwords on Tumblr and anywhere else they've used the same password.

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.