Exclusive Tumblr's iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users' plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats'n'grumble free-content platform.
The wide-open security howler was discovered by a Reg reader during the course of auditing for his employer which iOS apps were permissible for use on corporate smartphones.
"I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorised access to company data, contacts, etc)," he explains.
"It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does."
As part of this process our man was asked to review Tumblr as a possible app that could be installed on users' work iPhones. Checking www.cluefulapp.com appeared to give Tumblr a clean bill of health. However he had a shock when he checked the network traffic. Screenshot here (note - email address used was disposable and password has been changed, our source assures us).
"The Tumblr iOS app is sending the password over plain text and not over SSL," our source explained, clarifying "we are not talking about password reminders but about just opening the app and logging in through the iOS app."
"This occurs when you first log into the application, although I didn't check past the initial logon screen," he added.
The same network traffic checks on a Mac revealed that login to Tumblr in this case was passed through a secure server, which avoided the exposure of username and passwords in plain text.
In all the iOS app testing our source carried out, he removed the SIM card so all the data travelled across a Wi-Fi network. The risk posed by the behaviour is obviously more severe if the Wi-Fi network being used is open and insecure, as is often the case with Wi-Fi hotspots in travel hubs such as airports and train stations, hotels and coffee shops.
Our source only came to El Reg with the issue after failing to get it resolved by simply reporting it to Tumblr's support team.
Dodi Glenn, director of security content management at ThreatTrack Security, confirmed that the Tumblr iOS failed to pass initial logins through a secure server.
“For an application like Tumblr, there should be no reason not to pass the login information over SSL," Glenn told El Reg. "We simply ran a firewall on a device in order to get some visibility of where the login process was going. Our investigation, though not scientific, suggests that it has one SSL connection but not at the point of logging in.”
The FireSheep network sniffing tool made it childsplay for anyone to capture your session log-in cookie from users on the same insecure wireless network. The appearance of the tool prompted sites like Twitter and Gmail to offer encrypted versions of their services via HTTPS connections. But at a time when always-on encryption is becoming more widespread Tumblr is failing to apply any encryption for the most sensitive part of the process, the initial login, for users of its native iOS app.
We've reported this issue to both Tumblr and Yahoo, which completed its acquisition of the micro-blogging service last month, but are yet to get anything more than an acknowledgement of receipt from either party. We'll update this story as and when we hear more. ®
Updated to add
Last night Tumblr released "a very important security update" for its iPhone and iPad app that fixes "an issue that allowed passwords to be compromised in certain circumstances". The sex-blog platform also urged users to change their passwords on Tumblr and anywhere else they've used the same password.