Tumblr, the hugely popular blogging service which was bought by Yahoo! last month, has advised mobile users to change their passwords, and change them immediately. In a posting to the Tumblr staff blog, a spokesperson states "We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances." The precise details of the vulnerability that enabled this password compromise appear to be rarer than rocking horse crap, however there's a pretty big clue in a footnote to that staff blog post which defines 'certain circumstances' as being "sniffed in transit on certain versions of the app".


From which we can fairly confidently extrapolate that the iPhone and iPad Tumblr apps have not been logging users into the platform securely, leaving anyone who has used them from an airport lounge or hotel lobby vulnerable to those who would hack your stuff. The Register broke the story after a security conscious reader carried out an audit on the Tumblr app to see if it was secure enough to use on his corporate devices. "The Tumblr iOS app is sending the password over plain text and not over SSL" the auditor discovered. So the Tumblr app wasn't logging in using an HTTPS connection, and was therefore sending all login data as in-the-clear unencrypted text. Text that is stupidly simple for a drive-by hacker to sniff and grab out of the ether. Or, more accurately, a sit-by hacker as that's what they do in public areas such as those airport lounges and hotel lobbies mentioned earlier. There are dozens of readily available programs that enable such packet sniffing of Wi-Fi network traffic to take place, and which will happily log the data to enable the bad guys to pull logins out of the stream at their leisure.

The fact that Tumblr wasn't using HTTPS might come as a surprise to some, but not those in the security industry such as Graham Cluley who points out that "up until January Yahoo! was one of the few major webmail providers which didn’t provide an option for users to login via HTTPS/SSL". Warning that "last time I looked, Yahoo Mail still wasn’t enabling this option by default" Cluley suggests that perhaps both Tumblr and Yahoo! need a security refresher if they are to properly look after the many millions of users they have.

In addition to downloading the updated apps, Tumblr advises users to "update your password on Tumblr and anywhere else you may have been using the same password" and add that "it’s also good practice to use different passwords across different services by using an app like 1Password or LastPass." Talking of good practice, Tumblr, is surely a candidate for the 'After The Horse Has Bolted' award 2013.

Edited by happygeek: unstuck

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

5 Years
Discussion Span
Last Post by mildred2013

Tumblr, the hugely popular blogging service which was bought by Yahoo! last month, has advised mobile users to change their passwords, and change them immediately.

I did not know Tumblr was brought by Yahoo.

I think for security measure Yahoo did the right thing by sending out emails to warn members to change password.

I mean it's bit a fuss but it's good.


Mixing up your passwords for all of your services and systems on a regular basis is a good idea. Too many hacks occur these days and using irregular sequences and changing your passwords may seem like a hassel but in the end the protection it provides can save you a big headache if it is the case that you do get hacked.


Well it doesn't matters to me who owns the site one thing matter to me is how much efforts i am doing for the site and whats the output of the efforts. Changing pasword on regular interval is a good habit for being escape from hacked. I usually change pwd after a week.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.