back to article D'OH! Use Tumblr on iPhone or iPad, give your password to the WORLD

Tumblr's iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users' plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats'n'grumble free-content platform. The wide-open security howler was discovered by …

COMMENTS

This topic is closed for new posts.
  1. Marlons

    I discovered similar on a Twitter client for Nokia some years back. The issue was while testing a mitm attack it would attempt to transmit via SSL and through various iterations of the software either 1) ignore the cert error and continue or 2) revert to non-SSL.

    Would be interested in checking the behavior after they 'fix' this one.

    1. LarsG

      Since I don't use Tumblr I don't really care, I care even less about other people's Tumblrs and have no urge to go sniffing them out.

      I have better things to do, beer please.

      1. sabroni Silver badge
        Meh

        better things to do

        like tell us how uninterested you are in this story....

    2. Anonymous Coward
      Pirate

      Good thing

      It's a good thing that all people use different passwords on social media sites than on their banking and credit card sites.

      Oh wait.... Let me rephrase that.

      It's a good thing that at least 1% of all internet users use different passwords on social media sites than on their banking and credit card sites.

      [the internet - turning billions of mindless sheep into fraud victims since 1974....]

  2. Anonymous Coward
    Anonymous Coward

    Fix already out

    The updated app was in the app store yesterday (16th), might have been nice if someone checked before publishing the article...

    1. Growler
      Holmes

      Re: Fix already out

      I'm curious: are you saying this is a non-story because the problem is fixed or that el reg should have noted that in the article?

      If the latter it might have been nice for either Tumblr or Yahoo to inform the people who informed them of the issue that it had been fixed and if the former bad security on this sort of scale should always be reported!

    2. diodesign (Written by Reg staff) Silver badge

      Re: Fix already out

      "The updated app was in the app store yesterday"

      The Tumblr announcement is terse on details: what you have here is the actual story :-) Also, funny! how! the! update! appeared! over! night! after! we! contacted! Yahoo!

      C.

    3. BillG
      Joke

      Re: Fix already out

      "an issue that allowed passwords to be compromised in certain circumstances"

      where:

      "in certain circumstances" = "all the time"

    4. Anonymous Coward
      Anonymous Coward

      Re: Fix already out

      Problem is, without automatic pushed updates like Android has, iOS users are likely to be insecure for quite some time.

  3. Anonymous Coward
    Anonymous Coward

    Ah Tumblr, written for kids and idiots, by kids and idiots.

    1. Hud Dunlap
      Trollface

      @dijitulsupport

      And these kids and idiots made how much we they sold it?

      I should be so young and stupid.

  4. Anonymous Coward
    Anonymous Coward

    Tumblr is a website, right?

    Tumblr is basically a website, is it not ? Or have I missed something?

    So can someone help me understand what the benefits are of having a "Tumblr app" to access the website?

    We have here an illustration of why using your favourite tried and tested web browser to access the site *might* have been a better idea (e.g. people know about the little padlock you look for when logging in).

    Obviously Tumblr isn't the only website in the website->app picture.

    I suspect the word "monetise" appears in the answer to why companies are doing this, but I'm not sure. All contributions gratefully received.

    1. ScottAS2
      Facepalm

      Re: Tumblr is a website, right?

      I suspect they're mainly doing it because some marketing drone has heard that it's the "in" thing to have an app.

      Inevitable XKCD: http://xkcd.com/1174/

    2. Anonymous Coward
      Anonymous Coward

      Re: Tumblr is a website, right?

      tumblr is, basically a blog site.

      (the lowest possible value for "blog" - ie pictures of cats and boobs)

      So I imagine the app will be logging into your tumblr page to create a post/content/whatever. A way of uploading a cat picture and some emo band lyrics via your phone.

      1. Craigness

        App makes sense on Android

        On Android the app can appear in the share menu, so it gets integrated into the OS in a way that web apps can't.

        There might be less data transfer when using the app, as the navigation, validation and appearance don't need to be downloaded.

      2. This post has been deleted by its author

      3. Alan Esworthy
        Trollface

        Re: Tumblr is a website, right?

        @DijitulSupport: "tumblr is, basically a blog site. (the lowest possible value for "blog" - ie pictures of cats and boobs)"

        ITYM "cats and dugs"

    3. Anonymous Coward
      Anonymous Coward

      Re: Tumblr is a website, right?

      It's a lot easier to upload content using an app than a webpage?

      After all, phone browsers don't have plugins like Flash and Java usually. Plus in the case of iOS and others the filesystem isn't revealed to users. Browser upload dialogs deal with files.

    4. Yag
      Trollface

      Re: Tumblr is a website, right?

      The benefits are :

      - Ability to slurp additional personal information on the user - expecially that he use a smartphone

      - Ability to send third party ads without being annoyed by ad blockers

      ...

      what? oh, you mean "benefits for the user"? well... WHO CARES?

    5. Anonymous Coward
      Anonymous Coward

      Re: Tumblr is a website, right?

      Tumblr is basically a website, is it not ? Or have I missed something?

      So is Flickr / Facebook and on and on.

      Try using the Flickr App compared to the flickr website on mobe / tablet and you'll understand why.

      It's called ease of use. It's a thing many, many software engineers often forget, they write great code, but the actual interface is a frustrating pile of shit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tumblr is a website, right?

        "It's called ease of use. It's a thing many, many software engineers often forget, they write great code, but the actual interface is a frustrating pile of shit."

        Software engineers, web designers, who cares.

        If it's a piece of poo it's a piece of poo regardless of who designed it.

        Needing a dedicated app so that a large proportion of users of a website's content can conveniently access that content *may* just mean that the original website design is too poo for much of its intended market. Whose fault is that?

        Or does the logical conclusion of this trend lead to a separate app for every big website, thereby getting rid of the original concepts(s) of browsers and content and websites and sharing, and reintroducing a set of unconnected and unconnectable 1990s CompuServe/AOL style walled gardens? You never know, it might work. Not.

        On the other hand, I think the concept of "slurping" and/or "monetising" may well be significant in this picture.

  5. Craigness

    Reality distortion field

    "Although all ios apps sometimes send unencrypted data, 84% of users consider ios to be more secure than Android"

    http://www.kinvey.com/blog/3037/uncommon-comparisons-of-the-app-store-vs-google-play-infographic

    ios v Android: Less encryption, more analytics, more tracking, more contact and calendar slurping.

  6. Anonymous Coward
    Anonymous Coward

    You mean like this web site does....

    http://forums.theregister.co.uk/

    Where the lack of https:// means I send my username and password in clear text.

    El reg in 'people who live in glass houses' shocker.

    1. gazthejourno (Written by Reg staff)

      Re: You mean like this web site does....

      Right, cos your Reg forum comments are obviously on par with the sensitive details contained in your email accounts...

      1. Mikey
        Thumb Up

        Re: You mean like this web site does....

        C'mon Gaz, with such urbane wit like those of, ooh... Eadon, amanfrommars1 and BarryShitpeas... you NEED proper security so that no-one can steal their login info, hijack the accounts, and post complete and utter shi...

        I see your point. Carry on!

        1. Anonymous Coward
          Stop

          Re: You mean like this web site does....

          I have no idea how you can lump amanfrommars with the likes of he who shall not be names and BS. The guy is legend...

      2. Brenda McViking
        Trollface

        Re: You mean like this web site does....

        But I, like 95% of the internet, use the same password everywhere - your argument is invalid.

      3. Cynical Shopper
        Facepalm

        Re: You mean like this web site does....

        "Right, cos your Reg forum comments are obviously on par with the sensitive details contained in your email accounts..."

        Nope - it's not the comments, it's the email and password that's sensititive, and it's exactly the same as the Tumblr issue you've reported about!

        1. gazthejourno (Written by Reg staff)

          Re: Re: You mean like this web site does....

          I'm not the tech department, so don't take my reply as gospel, but I'm thinking a) Reg comments contain very little of value (sorry, chaps and chapesses) vis-a-vis sensitive login services such as your email account, Facebook, etc etc, and b) there's insufficient cost/benefit to justify HTTPS for Reg Forums.

          Also, c), you shouldn't be using the same username/password combo here as for something important!

          1. Anonymous Coward
            FAIL

            Re: You mean like this web site does....

            Agree with a and c.

            b - that is a pretty mediocre response for a tech rag of El Reg's calibre. You could do this on a shoe string if you wanted. Hell, even self signed. I reckon you should source an official response for this.

          2. Cynical Shopper
            FAIL

            Re: You mean like this web site does....

            I would rate Tumblr's worthlessness to be pretty much on a par with the Reg's comments. As I explained before, it's the email address and password combo that's sensitive, not the service provided using them.

            Yes, you shouldn't be using the same password as for something important, but people do. Would you be happy if Tumblr had wheeled out the same poor excuse?

  7. LinkOfHyrule
    Joke

    The sex-blog platform

    No wonder its called Tumblr - I thought it was just a shit name I never knew they put so much clever wittiness into its naming!

    1. danR2

      Re: The sex-blog platform

      I'm not starting an account with a site that still cannot spell its own name.

      1. LinkOfHyrule

        Re: The sex-blog platform

        Imagine if this place renamed as "Da Regiztr"

This topic is closed for new posts.

Other stories you might like