Skip to main content

Your Password is At Risk if you Use Tumblr for iOS

If you're a TumblriOS app user, it may be a wise decision to change your password on the account immediately. 

According to a report from The Register, Tumblr'siOS app doesn't login users via SSL. This means that users' login information isn't encrypted. Yes, this means that anybody snooping around Tumblr's network traffic can take passwords, which are stored in plaintext. 

A Register reader reported this security vulnerability after he discovered it while auditing iOS apps for his job. "I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorized access to company data, contacts, etc.)," he stated. "It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does." 

When he reviewed the TumblriOS app, he discovered the vulnerability. "The Tumblr iOS app is sending the password over plain text and not over SSL. 

"This occurs when you first log into the application, although I didn't check past the initial logon screen." 

This issue wasn't replicated logging into Tumblr outside of the app. The Register reader reported the issue only after failing to resolve the issue with the company itself. 

The good news is that Tumblr's finally gotten around to updating its iOS app. "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹," states the Tumblr blog. "If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password."