Risk
7/17/2013
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Tumblr iPhone Vulnerability: Change Passwords Now

Passwords are transmitted in plaintext by Tumblr's iPhone and iPad apps, leaving them vulnerable to being intercepted.

Warning for all users of Tumblr's iOS app: Change your password now, and upgrade to the latest version of the app on your iPhone or iPad.

The reason? Anyone using the app is vulnerable to having their Tumblr password "sniffed" in transit on certain versions of the app, according to a "very important security update" warning posted Tuesday to the Tumblr homepage by Derek Gottfrid, the company's VP of product.

"We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances. Please download the update now," Gottfrid said. "If you've been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It's also good practice to use different passwords across different services by using an app like 1Password or LastPass."

[ ReKey app patches major Android vulnerability, but device must be rooted. Read more at Android Users Can Patch Critical Flaw. ]

The vulnerability has been patched in version 3.4.1 of the iOS app, which Apple began distributing on Wednesday via iTunes.

The blogging platform's security warning didn't identify the precise vulnerability underlying the flaw. In fact, the problem stemmed from the blogging platform having failed to use a secure (SSL) server to log in iOS users. As a result, an attacker using the same Wi-Fi network as an iOS device could have easily sniffed a user's Tumblr password because it was being transmitted in plaintext, the Register reported.

Kudos for the vulnerability discovery went to an apparent information security professional who discovered the flaw while conducting a business-ordered audited of iOS apps. "I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorized access to company data, contacts, etc.)," he told the Register. "It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third-party analytics companies, not seeing any mention of it on the companies' Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does."

Likewise, the Tumblr app's behavior came as a surprise. While a review of the Tumblr iOS app using the Clueful privacy assessment tool didn't turn up any red flags, the source said that a study of the actual network behavior revealed that the iOS app was transmitting log-in details via HTTP, using plaintext that could have been intercepted by anyone using a packet analyzer such as Wireshark, or a tool such as Firesheep. "We are not talking about password reminders but about just opening the app and logging in through the iOS app," the source said of the failure to use SSL. "This occurs when you first log into the application, although I didn't check past the initial logon screen."

The source said he'd gone public with the vulnerability after contacting Tumblr's support team and failing to see a fix. Asked to address those allegations and detail the length of time it took to release a fix, Katherine Barna, head of communications for Tumblr, said via email: "Tumblr was notified of a security vulnerability introduced in our iOS app. We immediately released an update that repairs the issue and are notifying affected users. We obviously take these incidents very seriously and deeply regret this error."

But the iOS app gaff is curious, given the fallout that accompanied the arrival of Firesheep nearly three years ago, which was built to demonstrate just how easy it is to intercept passwords when sites don't use SSL encryption for the entire session. The debut of Firesheep, notably, drove Facebook, Gmail and Twitter, amongst other services, to begin using HTTPS to encrypt all sessions by default.

"Obviously, it's good news that Tumblr has now released a version of its app which fixes this flaw. But the gaping security hole shouldn't have been present in the first place," said independent security researcher Graham Cluley in a blog post. "And an updated app doesn't rescue any users' passwords which may have been stolen or exposed up until now."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.