I'll Tumbl For You

Tumblr Asked You to Reset Your Password Because of a Pretty Embarrassing Security Hole

Well, this just stokes all our public Wifi paranoia.
eeeeeeesh (Photo by Andrew Burton/Getty Images)

eeeeeeesh (Photo by Andrew Burton/Getty Images)

Last night, Tumblr product VP Derek Gottfrid posted a rather alarming communique to its users, far from the usual omg-we’re-just-so-darn-happy-to-announce gushing. “We have just released a very important security update for our iPhone and iPad apps addressing an issue that allowed passwords to be compromised in certain circumstances¹. Please download the update now,” the post read, emphasis theirs.

“If you’ve been using these apps, you should also update your password on Tumblr and anywhere else you may have been using the same password,” the company added, before closing on an abject note, saying Tumblr was “tremendously sorry for this lapse and inconvenience.”

The post was long on urgency, short on explanation. But according to BuzzFeed, it wasn’t some massive hack attack that inspired the update. Nope, user info straight up wasn’t being encrypted and securely transmitted during login, reports the Register, whose reader found the hole. That means that anytime you logged into the iPhone app via a public connection–think an airport cafe–anyone with a simple sniffer program could see your plain-text password.

Whoopsie daisy! Guess they had their hands full building this feature, which allows you to make GIFs with your webcam.

A Tumblr spokesperson told Betabeat, “Yesterday, Tumblr was notified of a security vulnerability introduced in our iOS app. We immediately released an update that repairs the issue and are notifying affected users. We obviously take these incidents very seriously and deeply regret this error.”

Says security researcher Graham Cluley, “The gaping security hole shouldn’t have been present in the first place. And an updated app doesn’t rescue any users’ passwords which may have been stolen or exposed up until now.”

This is yet another reminder that you should not be reusing passwords across the Internet–not that it’s going to stop you.

Follow Kelly Faircloth on Twitter or via RSS. kfaircloth@observer.com