Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,290
30,366



tumblr.png
Tumblr has released an update to its iOS app, fixing a security issue that allowed the passwords of iPhone and iPad users to be compromised. The company has explained the security breach on its blog, noting that some versions of the app allowed the passwords to be detected in transit:
We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now.

If you've been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password. It's also good practice to use different passwords across different services by using an app like 1Password or LastPass.

Please know that we take your security very seriously and are tremendously sorry for this lapse and inconvenience.

¹ "Sniffed" in transit on certain versions of the app
Tumblr gave a statement to The Verge, noting that the company was "notified of a security vulnerability" introduced into its iOS app earlier today and therefore took immediate action to fix the issue and notify its affected users. It is unknown how many people may have been affected.

Tumblr can be downloaded from the App Store for free. [Direct Link]

Article Link: Tumblr Issues Emergency Security Update to Fix Password Sniffing Bug
 

AngerDanger

Graphics
Staff member
Dec 9, 2008
5,452
29,002
Ahhhh, I love the smell of bug fixes in the morning. Some prefer the smell of passwords, but not this guy!
 

Pakaku

macrumors 68040
Aug 29, 2009
3,120
4,359
Good, now I can share Sherlock, Dr. Who, and other softcore porn with peace of mind again ;)
 

KattDaDon

macrumors 6502
Jul 6, 2011
469
0
What Tumblr really need to do is fix the double post issue. I frustrates me when I reblog one post and it ends up being double posted
 

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,544
6,042
And what's become of the developer who decided to broadcast login info like that?

Do they not have internal code checking? Who reviewed that code? What made it so that two seperate people thought it was an okay protocol for login information?
 

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
And what's become of the developer who decided to broadcast login info like that?

Do they not have internal code checking? Who reviewed that code? What made it so that two seperate people thought it was an okay protocol for login information?

Considering that the exact nature of the vulnerability and how many people were affected are unknown to us, the point is somewhat moot.
 

mwebb

macrumors member
Jan 18, 2011
50
9
Sniffed just the Tumblr password or the iPhone password?

The article makes it sound like the bug allows eavesdropping on other passwords...not just the Tumblr password.
 

Parasprite

macrumors 68000
Mar 5, 2013
1,698
144
The article makes it sound like the bug allows eavesdropping on other passwords...not just the Tumblr password.

Considering many people have one password that they reuse everywhere, yes.

Or at least one general "default password that I use for any site that I don't care about".
 

jdogg836

macrumors 6502
Jul 28, 2010
296
216
Oklahoma
Considering many people have one password that they reuse everywhere, yes.

Or at least one general "default password that I use for any site that I don't care about".

I used to be this guy, now I've beefed up all my passwords. I showed my mom how hers could be guessed. She uses very similar passwords consisting of a few words/initials/numbers. I used a password cracking program, entered what little bit I knew about her and all her passwords were cracked in less than 3 minutes on a fairly old computer. She has since toughened them up. But I would say that the tumblr situation just shows how leaking it in one place makes you vulnerable everywhere.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.