Feeds

D'OH! Use Tumblr on iPhone or iPad, give your password to the WORLD

World+Cat in this case. Should call it 'Spaffr'

Choosing a cloud hosting partner with confidence

Exclusive Tumblr's iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users' plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats'n'grumble free-content platform.

The wide-open security howler was discovered by a Reg reader during the course of auditing for his employer which iOS apps were permissible for use on corporate smartphones.

"I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorised access to company data, contacts, etc)," he explains.

"It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does."

As part of this process our man was asked to review Tumblr as a possible app that could be installed on users' work iPhones. Checking www.cluefulapp.com appeared to give Tumblr a clean bill of health. However he had a shock when he checked the network traffic. Screenshot here (note - email address used was disposable and password has been changed, our source assures us).

"The Tumblr iOS app is sending the password over plain text and not over SSL," our source explained, clarifying "we are not talking about password reminders but about just opening the app and logging in through the iOS app."

"This occurs when you first log into the application, although I didn't check past the initial logon screen," he added.

The same network traffic checks on a Mac revealed that login to Tumblr in this case was passed through a secure server, which avoided the exposure of username and passwords in plain text.

In all the iOS app testing our source carried out, he removed the SIM card so all the data travelled across a Wi-Fi network. The risk posed by the behaviour is obviously more severe if the Wi-Fi network being used is open and insecure, as is often the case with Wi-Fi hotspots in travel hubs such as airports and train stations, hotels and coffee shops.

Our source only came to El Reg with the issue after failing to get it resolved by simply reporting it to Tumblr's support team.

Dodi Glenn, director of security content management at ThreatTrack Security, confirmed that the Tumblr iOS failed to pass initial logins through a secure server.

“For an application like Tumblr, there should be no reason not to pass the login information over SSL," Glenn told El Reg. "We simply ran a firewall on a device in order to get some visibility of where the login process was going. Our investigation, though not scientific, suggests that it has one SSL connection but not at the point of logging in.”

The FireSheep network sniffing tool made it childsplay for anyone to capture your session log-in cookie from users on the same insecure wireless network. The appearance of the tool prompted sites like Twitter and Gmail to offer encrypted versions of their services via HTTPS connections. But at a time when always-on encryption is becoming more widespread Tumblr is failing to apply any encryption for the most sensitive part of the process, the initial login, for users of its native iOS app.

We've reported this issue to both Tumblr and Yahoo, which completed its acquisition of the micro-blogging service last month, but are yet to get anything more than an acknowledgement of receipt from either party. We'll update this story as and when we hear more. ®

Updated to add

Last night Tumblr released "a very important security update" for its iPhone and iPad app that fixes "an issue that allowed passwords to be compromised in certain circumstances". The sex-blog platform also urged users to change their passwords on Tumblr and anywhere else they've used the same password.

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.