Yahoo-owned Tumblr has pushed out a fix for its iOS app, after claims it was not using encryption to keep users’ passwords safe.
Tumblr issued an update yesterday, urging all users to change their passwords as a precaution. “We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances,” the blogging company said in a blog post, revealing little else.
It did hint that secure sockets layer (SSL) was not implemented properly, by saying passwords could be “sniffed in transit on certain versions of the app”.
A reader of The Register claimed the iOS apps was not logging users in over an SSL server, meaning plain text passwords were being sent between phones and servers. Hackers sitting on the same network could easily intercept such passwords and compromise a Tumblr account, and any other site using similar login credentials.
The threat becomes considerably more severe where the Tumblr user is on an unprotected Wi-Fi network.
It appears the app uses SSL after login, but not before – a serious security failure in many professionals’ eyes.
Many Internet services do SSL badly, as TechWeekEurope discovered last year in an investigation into security on university websites.
What do you know about Internet security? Find out with our quiz!
Northvolt files for Chapter 11 bankruptcy protection in the United States, and CEO and co-founder…
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
View Comments
Great article, this is a surprising security oversight by Tumblr, since this type of security measure is not difficult to implement.
For users interested in protecting themselves. We have written out some steps you can take to protect your data from this type of flaw.
http://www.doctrackr.com/blog/bid/318540/Is-Your-Social-Media-Secure-Privacy-Tips-from-Tumblr-s-Failure