Tumblr users on iOS devices urged to update app and change password over gaping security hole
To err is human, and in this case with the Tumblr app for iOS, it was a pretty big err. Derek Gottfrid, Tumblr Product Vice President posted on the site’s blog last night urging users of the official iPhone and iPad app to update right away and to update their passwords.
He also noted that the update addresses a problem which might have allowed passwords to be compromised in certain circumstances while providing minimal detail by way of a footnote that read: “’Sniffed’ in transit on certain versions of the app.”
Gottfrid then admonishes users to not use common passwords across different services and suggests using apps like 1Password and LastPass to help manage different passwords for different services without having to memorize everything.
One might think there was some kind of hack or something that prompted the update, but sadly it was not anything so exotic. No, it turns out that the iOS apps for Tumblr were not encrypting or securely transmitting username and password data, meaning anytime you lagged in with iOS app on a public connection (like at an airport or Starbucks) it could be captured with a simple sniffer program.
So, get on with things, update your credentials and remember, do not use any of these as new passwords.
source: Tumblr via BetaBeat
He also noted that the update addresses a problem which might have allowed passwords to be compromised in certain circumstances while providing minimal detail by way of a footnote that read: “’Sniffed’ in transit on certain versions of the app.”
One might think there was some kind of hack or something that prompted the update, but sadly it was not anything so exotic. No, it turns out that the iOS apps for Tumblr were not encrypting or securely transmitting username and password data, meaning anytime you lagged in with iOS app on a public connection (like at an airport or Starbucks) it could be captured with a simple sniffer program.
That the gaping security hole should not have been there in the first place is another discussion, at least Tumblr set things right, however it does not help those whose passwords and user data may have already been sniffed out to this point.
So, get on with things, update your credentials and remember, do not use any of these as new passwords.
source: Tumblr via BetaBeat
Things that are NOT allowed: