Tumblr’s iOS app fails to log users in through a secure (SSL) server, it has emerged. As a result users’ plaintext passwords are exposed to anyone able to sniff traffic on any Wi-Fi network an iOS user happens to use to connect to the popular cats’n’grumble free-content platform.
The wide-open security howler was discovered by a Reg reader during the course of auditing for his employer which iOS apps were permissible for use on corporate smartphones.
“I was asked to investigate various iOS apps at work to see if they are suitable for company use (no unauthorised access to company data, contacts, etc),” he explains.
“It has been a slow process of checking what the app does through Wireshark, seeing it sends some of my data to third party analytics companies, not seeing any mention of it on the companies Terms of Service, emailing the company and getting a response several weeks later stating they will update their ToS to reflect what the iOS app actually does.”
Most Commented Posts
2020 Cybersecurity Landscape: 100+ Experts’ Predictions
Cyber Security Predictions 2021: Experts’ Responses
Experts’ Responses: Cyber Security Predictions 2023
Celebrating Data Privacy Day – 28th January 2023
Data Privacy Protection Day (Thursday 28th) – Experts Comments
Most Active Commenters
Meta’s fine over data privacy breaches underscores the critical challenges…
Hi, Thanks, that is really useful information. I do have…
“This is a very worrying attack that hit T-Mobile and…
“This latest cyberattack against T-Mobile may be smaller than previous…
“Genesis Market is a complex global criminal access marketplace. Buyers…