Feeds

back to article D'OH! Use Tumblr on iPhone or iPad, give your password to the WORLD

Tumblr's iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users' plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats'n'grumble free-content platform. The wide-open security howler was discovered by a …

COMMENTS

This topic is closed for new posts.

I discovered similar on a Twitter client for Nokia some years back. The issue was while testing a mitm attack it would attempt to transmit via SSL and through various iterations of the software either 1) ignore the cert error and continue or 2) revert to non-SSL.

Would be interested in checking the behavior after they 'fix' this one.

0
0
Silver badge

Since I don't use Tumblr I don't really care, I care even less about other people's Tumblrs and have no urge to go sniffing them out.

I have better things to do, beer please.

1
8
Silver badge
Meh

better things to do

like tell us how uninterested you are in this story....

5
1
Silver badge
Pirate

Good thing

It's a good thing that all people use different passwords on social media sites than on their banking and credit card sites.

Oh wait.... Let me rephrase that.

It's a good thing that at least 1% of all internet users use different passwords on social media sites than on their banking and credit card sites.

[the internet - turning billions of mindless sheep into fraud victims since 1974....]

0
0
Anonymous Coward

Fix already out

The updated app was in the app store yesterday (16th), might have been nice if someone checked before publishing the article...

0
4
Holmes

Re: Fix already out

I'm curious: are you saying this is a non-story because the problem is fixed or that el reg should have noted that in the article?

If the latter it might have been nice for either Tumblr or Yahoo to inform the people who informed them of the issue that it had been fixed and if the former bad security on this sort of scale should always be reported!

3
0
(Written by Reg staff) Silver badge

Re: Fix already out

"The updated app was in the app store yesterday"

The Tumblr announcement is terse on details: what you have here is the actual story :-) Also, funny! how! the! update! appeared! over! night! after! we! contacted! Yahoo!

C.

8
0
Bronze badge
Joke

Re: Fix already out

"an issue that allowed passwords to be compromised in certain circumstances"

where:

"in certain circumstances" = "all the time"

1
0
Anonymous Coward

Re: Fix already out

Problem is, without automatic pushed updates like Android has, iOS users are likely to be insecure for quite some time.

0
0
Bronze badge

Ah Tumblr, written for kids and idiots, by kids and idiots.

1
0
Trollface

@dijitulsupport

And these kids and idiots made how much we they sold it?

I should be so young and stupid.

1
0
Anonymous Coward

Tumblr is a website, right?

Tumblr is basically a website, is it not ? Or have I missed something?

So can someone help me understand what the benefits are of having a "Tumblr app" to access the website?

We have here an illustration of why using your favourite tried and tested web browser to access the site *might* have been a better idea (e.g. people know about the little padlock you look for when logging in).

Obviously Tumblr isn't the only website in the website->app picture.

I suspect the word "monetise" appears in the answer to why companies are doing this, but I'm not sure. All contributions gratefully received.

2
0
Facepalm

Re: Tumblr is a website, right?

I suspect they're mainly doing it because some marketing drone has heard that it's the "in" thing to have an app.

Inevitable XKCD: http://xkcd.com/1174/

1
0
Bronze badge

Re: Tumblr is a website, right?

tumblr is, basically a blog site.

(the lowest possible value for "blog" - ie pictures of cats and boobs)

So I imagine the app will be logging into your tumblr page to create a post/content/whatever. A way of uploading a cat picture and some emo band lyrics via your phone.

0
0
Anonymous Coward

Re: Tumblr is a website, right?

It's a lot easier to upload content using an app than a webpage?

After all, phone browsers don't have plugins like Flash and Java usually. Plus in the case of iOS and others the filesystem isn't revealed to users. Browser upload dialogs deal with files.

0
0
Silver badge

App makes sense on Android

On Android the app can appear in the share menu, so it gets integrated into the OS in a way that web apps can't.

There might be less data transfer when using the app, as the navigation, validation and appearance don't need to be downloaded.

0
0
Yag
Bronze badge
Trollface

Re: Tumblr is a website, right?

The benefits are :

- Ability to slurp additional personal information on the user - expecially that he use a smartphone

- Ability to send third party ads without being annoyed by ad blockers

...

what? oh, you mean "benefits for the user"? well... WHO CARES?

5
1
Anonymous Coward

Re: Tumblr is a website, right?

Tumblr is basically a website, is it not ? Or have I missed something?

So is Flickr / Facebook and on and on.

Try using the Flickr App compared to the flickr website on mobe / tablet and you'll understand why.

It's called ease of use. It's a thing many, many software engineers often forget, they write great code, but the actual interface is a frustrating pile of shit.

1
0

This post has been deleted by its author

Trollface

Re: Tumblr is a website, right?

@DijitulSupport: "tumblr is, basically a blog site. (the lowest possible value for "blog" - ie pictures of cats and boobs)"

ITYM "cats and dugs"

0
0
Anonymous Coward

Re: Tumblr is a website, right?

"It's called ease of use. It's a thing many, many software engineers often forget, they write great code, but the actual interface is a frustrating pile of shit."

Software engineers, web designers, who cares.

If it's a piece of poo it's a piece of poo regardless of who designed it.

Needing a dedicated app so that a large proportion of users of a website's content can conveniently access that content *may* just mean that the original website design is too poo for much of its intended market. Whose fault is that?

Or does the logical conclusion of this trend lead to a separate app for every big website, thereby getting rid of the original concepts(s) of browsers and content and websites and sharing, and reintroducing a set of unconnected and unconnectable 1990s CompuServe/AOL style walled gardens? You never know, it might work. Not.

On the other hand, I think the concept of "slurping" and/or "monetising" may well be significant in this picture.

1
0
Silver badge

Reality distortion field

"Although all ios apps sometimes send unencrypted data, 84% of users consider ios to be more secure than Android"

http://www.kinvey.com/blog/3037/uncommon-comparisons-of-the-app-store-vs-google-play-infographic

ios v Android: Less encryption, more analytics, more tracking, more contact and calendar slurping.

1
0
Anonymous Coward

You mean like this web site does....

http://forums.theregister.co.uk/

Where the lack of https:// means I send my username and password in clear text.

El reg in 'people who live in glass houses' shocker.

3
1
(Written by Reg staff)

Re: You mean like this web site does....

Right, cos your Reg forum comments are obviously on par with the sensitive details contained in your email accounts...

1
2
Thumb Up

Re: You mean like this web site does....

C'mon Gaz, with such urbane wit like those of, ooh... Eadon, amanfrommars1 and BarryShitpeas... you NEED proper security so that no-one can steal their login info, hijack the accounts, and post complete and utter shi...

I see your point. Carry on!

1
0
Trollface

Re: You mean like this web site does....

But I, like 95% of the internet, use the same password everywhere - your argument is invalid.

1
0
Bronze badge
Stop

Re: You mean like this web site does....

I have no idea how you can lump amanfrommars with the likes of he who shall not be names and BS. The guy is legend...

0
1
Facepalm

Re: You mean like this web site does....

"Right, cos your Reg forum comments are obviously on par with the sensitive details contained in your email accounts..."

Nope - it's not the comments, it's the email and password that's sensititive, and it's exactly the same as the Tumblr issue you've reported about!

0
0
(Written by Reg staff)

Re: Re: You mean like this web site does....

I'm not the tech department, so don't take my reply as gospel, but I'm thinking a) Reg comments contain very little of value (sorry, chaps and chapesses) vis-a-vis sensitive login services such as your email account, Facebook, etc etc, and b) there's insufficient cost/benefit to justify HTTPS for Reg Forums.

Also, c), you shouldn't be using the same username/password combo here as for something important!

0
1
Bronze badge
FAIL

Re: You mean like this web site does....

Agree with a and c.

b - that is a pretty mediocre response for a tech rag of El Reg's calibre. You could do this on a shoe string if you wanted. Hell, even self signed. I reckon you should source an official response for this.

3
0
FAIL

Re: You mean like this web site does....

I would rate Tumblr's worthlessness to be pretty much on a par with the Reg's comments. As I explained before, it's the email address and password combo that's sensitive, not the service provided using them.

Yes, you shouldn't be using the same password as for something important, but people do. Would you be happy if Tumblr had wheeled out the same poor excuse?

2
0
Silver badge
Joke

The sex-blog platform

No wonder its called Tumblr - I thought it was just a shit name I never knew they put so much clever wittiness into its naming!

0
0

Re: The sex-blog platform

I'm not starting an account with a site that still cannot spell its own name.

1
0
Silver badge

Re: The sex-blog platform

Imagine if this place renamed as "Da Regiztr"

0
0
This topic is closed for new posts.