Popular blogging platform Tumblr pushed out an emergency update to its iOS app yesterday, patching an apparent password sniffing bug that attackers may have been using to steal users’ logins and passwords.
The update, version 3.4.1 on iOS addresses “an issue that allowed passwords to be compromised in certain circumstances,” in this case, when a user entered their password over public WiFi.
Tumblr’s warning went on; suggesting that users change their password, hinting the flaw may have been an issue for a while and could affect anyone who may use the same password on other websites.
“If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password,” Derek Gottfrid, Tumblr’s VP of Product wrote on the company’s blog yesterday.
The news almost certainly means that Tumblr wasn’t logging users in through a secure (SSL) server, which in turn means that anyone using a password sniffing application, such as Firesheep, could glean the passwords – in plain text – of those logging in through a public network. In this case, anyone logging into their Tumblr app on an iPhone over Wifi in a public space such as Starbucks, or the local library, was vulnerable to the flaw.
While most websites have eagerly adopted SSL-protection over the last few years, Yahoo, who bought Tumblr for a cool $1.1. billion in May, have fallen behind. It wasn’t until January that the company gave its webmail users the option to encrypt their sessions with an SSL connection. While that was certainly a step in the right direction, Yahoo still hasn’t enabled the connection by default and it’s unclear if they plan to at any point in the future.
