Users of Tumblr’s iPhone and iPad apps have been exposed to a serious security risk, as it has been discovered that the blogging platform has been astonishingly sloppy with its security.
Tumblr apps have been failing to log users into the blogging platform securely, making it simple for hackers to sniff passwords out of Wi-Fi network traffic.
That means that if you ever logged into Tumblr from your iPhone or iPad in, say, a cafe, a hotel lobby or an airport lounge that your password could have been compromised.
An official announcement, titled “Important Security Update for iPhone/iPad users”, has been posted on Tumblr’s blog.
Important security update for iPhone/iPad users
We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.
If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It’s also good practice to use different passwords across different services by using an app like 1Password or LastPass.
Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.
¹ “Sniffed” in transit on certain versions of the app
What should you do?
- Change your Tumblr password immediately. If you were using your existing Tumblr password anywhere else on the net (shame on you) you need to change that as well. Do NOT use the same passwords on multiple websites. and never use easy-to-guess, easy-to-crack passwords
- If you still want to carry on using the Tumblr app on your iPhone, iPod Touch or iPad, you should update it to the latest version which Tumblr says fixes the problem.
If an app like Tumblr doesn’t login through a secure (SSL) server, anybody on the Wi-Fi network you are using could grab your username and password, as they are transmitted from your app to Tumblr.
That’s because, without HTTPS, they are sent as unencrypted text.
According to a report in The Register, the serious security issue was found after one of its readers audited the Tumblr app’s suitability for use on his company’s mobile devices.
Obviously, it’s good news that Tumblr has now released a version of its app which fixes this flaw. But the gaping security hole shouldn’t have been present in the first place. And an updated app doesn’t rescue any users’ passwords which may have been stolen or exposed up until now.
Yahoo, which recently acquired Tumblr, has been in trouble with HTTPS/SSL in the past. Up until January it was one of the few major webmail providers which didn’t provide an option for users to login via HTTPS/SSL.
Unfortunately, last time I looked, Yahoo Mail still wasn’t enabling this option by default.
Maybe Tumblr, and its parent company Yahoo, could do with a security refresher if it is going to properly look after its many millions of users.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.