Tumblr, the hugely popular blogging service which was bought by Yahoo! last month, has advised mobile users to change their passwords, and change them immediately. In a posting to the Tumblr staff blog, a spokesperson states "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances." The precise details of the vulnerability that enabled this password compromise appear to be rarer than rocking horse crap, however there's a pretty big clue in a footnote to that staff blog post which defines 'certain circumstances' as being "sniffed in transit on certain versions of the app".
From which we can fairly confidently extrapolate that the iPhone and iPad Tumblr apps have not been logging users into the platform securely, leaving anyone who has used them from an airport lounge or hotel lobby vulnerable to those who would hack your stuff. The Register broke the story after a security conscious reader carried out an audit on the Tumblr app to see if it was secure enough to use on his corporate devices. "The Tumblr iOS app is sending the password over plain text and not over SSL" the auditor discovered. So the Tumblr app wasn't logging in using an HTTPS connection, and was therefore sending all login data as in-the-clear unencrypted text. Text that is stupidly simple for a drive-by hacker to sniff and grab out of the ether. Or, more accurately, a sit-by hacker as that's what they do in public areas such as those airport lounges and hotel lobbies mentioned earlier. There are dozens of readily available programs that enable such packet sniffing of Wi-Fi network traffic to take place, and which will happily log the data to enable the bad guys to pull logins out of the stream at their leisure.
The fact that Tumblr wasn't using HTTPS might come as a surprise to some, but not those in the security industry such as Graham Cluley who points out that "up until January Yahoo! was one of the few major webmail providers which didn’t provide an option for users to login via HTTPS/SSL". Warning that "last time I looked, Yahoo Mail still wasn’t enabling this option by default" Cluley suggests that perhaps both Tumblr and Yahoo! need a security refresher if they are to properly look after the many millions of users they have.
In addition to downloading the updated apps, Tumblr advises users to "update your password on Tumblr and anywhere else you may have been using the same password" and add that "it’s also good practice to use different passwords across different services by using an app like 1Password or LastPass." Talking of good practice, Tumblr, is surely a candidate for the 'After The Horse Has Bolted' award 2013.
